topic Re: IPSEC s2s VPN between VM-50 and PA-3220 in General Topics

IPSEC s2s VPN between VM-50 and PA-3220

popeja — Fri, 06 May 2022 15:29:23 GMT

We've done plenty of s2s IPSEC VPN tunnels between our DC firewalls and branch offices. I have a new branch office which we are configuring the same way as the others, yet the IPSEC VPN is not operating as expected. The tunnel is showing as up and the IKE Phase 1 & 2 are successful. However, on both firewalls, when I go into Tunnel Info all I'm showing is packets & bytes being encapsulated with the number incrementing but the decap column stays at 0.

Has anyone experienced this issue and what have you done to resolve? I've confirmed my configuration looks good, I've rebooted the ESXi host, and rebooted the firewall.

Re: IPSEC s2s VPN between VM-50 and PA-3220

rdonohoe23 — Fri, 06 May 2022 15:34:45 GMT

Hi Mate,

you would need to check the filtered global counters.. Good article on same below

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUyCAK

MTU, replay attack issue or possible environmental issue with the esxi host or networking i suspect.

regards

Rob

Re: IPSEC s2s VPN between VM-50 and PA-3220

popeja — Fri, 06 May 2022 16:06:28 GMT

Thanks for that article. I did forget to mention that I tried enabled replay protection on both ends and also disabling replay protection on both ends with no success and still getting the flow_tunnel_decap_err.

I have a case open with TAC on this and will probably wait for them to decrypt the IKE & ESP traffic.

Re: IPSEC s2s VPN between VM-50 and PA-3220

popeja — Fri, 06 May 2022 16:08:48 GMT

To add more info:

Outside interface is receiving DHCP from a CradlePoint on a Verizon cellular connection
ESXi version is 6.7
PAN OS version is 10.1.4