https://live.paloaltonetworks.com/t5/general-topics/issue-with-vxlan-traffic-passing-through-the-firewall/m-p/492707#M104990 <P>Hi Team,&nbsp;</P><P>&nbsp;</P><P>We have an SDWAN box placed behind the firewall and the SD_WAN box need to communicate with the controllers which is located on the internet.</P><P>&nbsp;</P><P>The topology is given below:</P><P>SD_WAN Box&lt;---&gt;F/W LAN interface&lt;---&gt;F/W ISP interface &lt;--&gt; Internet &lt;----&gt;Controllers.</P><P>&nbsp;</P><P>The&nbsp;SD_WAN Box is trying to establish VXLAN connectivity to the Controllers located on the internet.</P><P>&nbsp;</P><P>On the traffic logs and the session browsers we could see the traffic flow b/n the&nbsp;&nbsp;SD_WAN Box and the&nbsp;VXLAN is being allowed by the firewall and the application is being correctly identified as "VXLAN".&nbsp;</P><P>&nbsp;</P><P>We had configured only source NAT on the firewall but we could see on the log that the destination port is being translated to 511 from 4789</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tamilvanan_0-1653585569659.png" style="width: 683px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41176iD2BE46307E8A53D8/image-dimensions/683x427/is-moderation-mode/true?v=v2" width="683" height="427" role="button" title="tamilvanan_0-1653585569659.png" alt="tamilvanan_0-1653585569659.png" /></span></P><P>&nbsp;</P><P>Why the firewall is translating the destination port even though the DNAT is not configured.&nbsp;</P><P>&nbsp;</P> Thu, 26 May 2022 17:21:26 GMT tamilvanan 2022-05-26T17:21:26Z https://live.paloaltonetworks.com/t5/general-topics/issue-with-vxlan-traffic-passing-through-the-firewall/m-p/492707#M104990 <P>Hi Team,&nbsp;</P><P>&nbsp;</P><P>We have an SDWAN box placed behind the firewall and the SD_WAN box need to communicate with the controllers which is located on the internet.</P><P>&nbsp;</P><P>The topology is given below:</P><P>SD_WAN Box&lt;---&gt;F/W LAN interface&lt;---&gt;F/W ISP interface &lt;--&gt; Internet &lt;----&gt;Controllers.</P><P>&nbsp;</P><P>The&nbsp;SD_WAN Box is trying to establish VXLAN connectivity to the Controllers located on the internet.</P><P>&nbsp;</P><P>On the traffic logs and the session browsers we could see the traffic flow b/n the&nbsp;&nbsp;SD_WAN Box and the&nbsp;VXLAN is being allowed by the firewall and the application is being correctly identified as "VXLAN".&nbsp;</P><P>&nbsp;</P><P>We had configured only source NAT on the firewall but we could see on the log that the destination port is being translated to 511 from 4789</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tamilvanan_0-1653585569659.png" style="width: 683px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41176iD2BE46307E8A53D8/image-dimensions/683x427/is-moderation-mode/true?v=v2" width="683" height="427" role="button" title="tamilvanan_0-1653585569659.png" alt="tamilvanan_0-1653585569659.png" /></span></P><P>&nbsp;</P><P>Why the firewall is translating the destination port even though the DNAT is not configured.&nbsp;</P><P>&nbsp;</P> Thu, 26 May 2022 17:21:26 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-with-vxlan-traffic-passing-through-the-firewall/m-p/492707#M104990 tamilvanan 2022-05-26T17:21:26Z https://live.paloaltonetworks.com/t5/general-topics/issue-with-vxlan-traffic-passing-through-the-firewall/m-p/492888#M104993 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/165087">@tamilvanan</a>,</P> <P>Have you run a test nat-policy-match against the traffic to verify that it's actually hitting the NAT policy that you expect. IF the firewall is modifying the port, sounds like you're hitting a DIPP entry that you might not be expecting.&nbsp;</P> Thu, 26 May 2022 20:55:59 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-with-vxlan-traffic-passing-through-the-firewall/m-p/492888#M104993 BPry 2022-05-26T20:55:59Z https://live.paloaltonetworks.com/t5/general-topics/issue-with-vxlan-traffic-passing-through-the-firewall/m-p/511678#M106359 <P>What I have found is that the VxLAN Session information (both from the web UI and from the CLI using the "show session ..." output) is incorrect - or at least misleading. The first packet of the session is shown correctly, but all VxLAN packets after the start of the session are assigned to their own session with strange output. I'm not sure, but I think the strange output showed the destination information from *inside* the VxLAN traffic (even with tunnel inspection turned off!). Is it possible that 511 was the destination port inside the VxLAN traffic? A packet capture on the firewall opened in Wireshark shows that the firewall is forwarding traffic correctly.</P> <P>&nbsp;</P> <P>I have a case opened with Technical Support to try to determine if there is a way to interpret the output or if it is simply a bug.</P> Fri, 12 Aug 2022 13:33:41 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-with-vxlan-traffic-passing-through-the-firewall/m-p/511678#M106359 Travis.Tibbs 2022-08-12T13:33:41Z