https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/453984#M101410 <P>Hello,</P> <P>To check routing click the Networking tab at the top -&gt;Virtual routers -&gt; More Runtime Stats</P> <P>Then look for a subnet that is on the Cisco side of the tunnel, then make sure it points to the tunnel.&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> Fri, 17 Dec 2021 16:55:36 GMT OtakarKlier 2021-12-17T16:55:36Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/453573#M101370 <P>Hello</P><P>&nbsp;</P><P>I established an Ipsec tunnel (policy based) between palo Alto and Cisco FW.</P><P>phase 1 &amp; phase 2 are up and running but trying to transfer data, fail.</P><P>Capture packet (merge recieved and transmit) shown</P><P>Source : SYN</P><P>Dest : SYN ACK</P><P>And then Dest :&nbsp; retransmit SYN ACK.</P><P>&nbsp;</P><P>If this capture is within transmit pcap, this mean the re transmission packet have been forwarded&nbsp; into the IPSEC Tunnel (egress interface) ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="transmit.png" style="width: 970px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38177i8F1091BC49D214CA/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="transmit.png" alt="transmit.png" /></span></P><P>&nbsp;</P><P>Previoulsy, I was working with Checkpoint and able to use command line FW MONITOR to know if my packet was forward/encrypted to the tunnel. (this mean problem is located on FW itself or after the FW.</P><P>Is it a tool that permitting to know if this SYN ACK packet is forwarded into Interface tunnel or not ?</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 16 Dec 2021 08:34:34 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/453573#M101370 didier.bonato 2021-12-16T08:34:34Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/453788#M101390 <P>Hello,</P> <P>Check the traffic logs to see why the traffic is getting blocked. Before this make sure you enable logging on your security policies. This should tell you where and why the traffic is getting blocked.</P> <P>Security policy basics:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0</A></P> <P>Could also be routing, make sure you put the destination subnet into your virtual router and point the destination at the tunnel.</P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>&nbsp;</P> Thu, 16 Dec 2021 22:29:02 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/453788#M101390 OtakarKlier 2021-12-16T22:29:02Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/453886#M101396 <P>Thanks for your reply,</P><P>&nbsp;</P><P>Anyway, I don't have traffic blocked in logs (allowed but aged out), and the tcp handshake start with SYN and ACK, this mean not blocked.</P><P>I was suspecting routing issue, that's why (even the route is set as static route) I would like to know how to be sure, this ACK reply has been properly "pushed" to my tunnel interface?</P><P>&nbsp;</P><P>Regards</P> Fri, 17 Dec 2021 07:36:15 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/453886#M101396 didier.bonato 2021-12-17T07:36:15Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/453984#M101410 <P>Hello,</P> <P>To check routing click the Networking tab at the top -&gt;Virtual routers -&gt; More Runtime Stats</P> <P>Then look for a subnet that is on the Cisco side of the tunnel, then make sure it points to the tunnel.&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> Fri, 17 Dec 2021 16:55:36 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/453984#M101410 OtakarKlier 2021-12-17T16:55:36Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/454016#M101411 <P>Hello,</P> <P>Also here are some additional articles that have additional information.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh5CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh5CAC</A></P> <P>&nbsp;</P> <P>Regards,</P> Fri, 17 Dec 2021 19:10:14 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/454016#M101411 OtakarKlier 2021-12-17T19:10:14Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/454137#M101432 <P>I had the same issue with failing Data transfer, however i found this discussion and thanks for your helpful articles links, I manage my issue, waiting more useful discussion about&nbsp;<SPAN>Ipsec tunnel.</SPAN></P> Sat, 18 Dec 2021 20:07:59 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/454137#M101432 KarD5d 2021-12-18T20:07:59Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/454473#M101468 <P>Hello,</P> <P>Glad you found it useful. Always feel free to post any questions.</P> <P>&nbsp;</P> <P>Cheers!</P> Mon, 20 Dec 2021 20:53:26 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-troubleshooting-tool-for-ipsec/m-p/454473#M101468 OtakarKlier 2021-12-20T20:53:26Z