topic Re: VPN Site to Site configuration between two PAs in General Topics

VPN Site to Site configuration between two PAs

smshafek — Fri, 29 Apr 2022 12:33:58 GMT

Hi,

I've been trying to get clients on the end of two different Palo Altos to be able to ping each other. Everything is green but the IPsec Tunnel doesnt seem to be working. Using tracert, traffic from a client first hops to the LAN Port and then to the opposite end of the tunnel and stops there. I've already created policies that allows traffic from LAN to VPN and vice versa.

Full 'Picture'
PA 1
Client : 10.10.254.100
LAN : 10.10.254.1
Tunnel IP : 192.168.4.254

PA 2
Client : 10.10.253.100
LAN : 10.10.253.1
Tunnel IP : 172.20.3.253

On tracert from client (10.10.254.100) on PA 1's side :
10.10.254.1 -> 172.20.3.253

Any suggestions?

Thanks!

Re: VPN Site to Site configuration between two PAs

TomYoung — Fri, 29 Apr 2022 21:13:21 GMT

Hi @smshafek ,

When you say, "Everything is green" I assume that you mean the Status > Tunnel Info and Status > IKE Info are both green under Network > IPSec Tunnels. Good! Here are a couple of critical places to look:

Click on Status > Tunnel Info and verify there are PKT ENCAP and PKT DECAP counters. If there are no encaps, then the problem is on the local NGFW. If there are no decaps, then the problem is on the remote NGFW.
On the problem NGFW, look at Monitor > Logs > Traffic and verify sessions are being allowed to the proper zone. There could be a LOT of different reasons why this is failing. You will have to take it from here.

Thanks,

Tom

Re: VPN Site to Site configuration between two PAs

OtakarKlier — Fri, 29 Apr 2022 21:34:07 GMT

Hello,

Also check to make sure you have security policies to allow ping. If you are attempting to ping interfaces on the PAN's, you'll need to enable that as well in the interface management.

Regards,

Re: VPN Site to Site configuration between two PAs

aleksandar.astardzhiev — Sat, 30 Apr 2022 18:10:03 GMT

Hi @smshafek ,

- If traceroute suggest traffic reaches the remote side of the tunnel do you see traffic logs on the PA 2? More importantly does bytes received counter different than zero - this should confirm if traffic is indeed reaching the other side of the tunnel and if return traffic is hitting PA2.

- As @TomYoung suggest, check if packet encrypted and packets decrypted counters are increasing on both sides of the tunnel.

- Is there any NAT for the traffic over the tunnel? Have you check if unintentional NAT is not being applied?

- For very long time detailed traffic log of PAN firewalls were completely enough for me to identify most network issue, but recently I had some bizarre cases and I developed new habit - use global counters with packet filter applied for the specific traffic - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS If you have control over both firewall definitely do that on both sides.

Having results from above should give you some direction where to look next.