topic Re: site to site vpn issue in General Topics

site to site vpn issue

Satish — Wed, 19 Nov 2014 16:33:13 GMT

Hi Friends,

I have PAN-2020 with OS- 6.0.4, one side PAN and other end have juniper tunnel are showing Up but traffic is not passing Not Passing.

Regards

Satish

Re: site to site vpn issue

ssharma — Wed, 19 Nov 2014 16:38:14 GMT

Hi Satish ,

Please check routing on both side. On Palo Alto side routing should say if you want reach remote subnet, exit out using tunnel interface.

This should be taken care on remote side as well. Hope this helps. Thank you.

Re: site to site vpn issue

HULK — Wed, 19 Nov 2014 16:40:16 GMT

Hello Satish,

You may check the IPSec phase-1 and phase-2 status if they are showing UP from CLI as well. You may clear the VPN tunnel once and try to re-negotiate the tunnel again.

>show vpn ipsec-sa tunnel <tunnel name>

> show vpn ike-sa gateway

> clear vpn ike-sa gateway XXXXX >>>>>>>>>>>>>>>>>>>>>>>> clear the ike SA's

Delete IKEv1 IKE SA: Total 1 gateways found.

> clear vpn ipsec-sa tunnel XXXXXX

Delete IKEv1 IPSec SA: Total 1 tunnels found.

> test vpn ike-sa gateway XXXXXX

Initiate IKE SA: Total 1 gateways found. 1 ike sa found.

> test vpn ipsec-sa tunnel XXXXXX

Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

> show vpn flow ( get the tunnel ID from this command)

>show vpn flow tunnel-id x << where x=id number from above display >>>>>>>>>>>>>>>> This command will show you, whether packets are encap and sending through the tunnel with respective counter.

NOTE:

--- make sure you have static route configure on both firewall to route interesting traffic through VPN tunnel ( as mentioned above by ssharma).

--- You have correct security policy in place , from VPN zone to outgoing zone.

Hope this helps.

Thanks

Re: site to site vpn issue

HULK — Wed, 19 Nov 2014 16:43:49 GMT

2 helpful document for your reference:

--- CLI Commands to Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel

--- How to Troubleshoot VPN Connectivity Issues

Thanks

Re: site to site vpn issue

Satish — Wed, 19 Nov 2014 17:33:43 GMT

Hi Hulk, every thing is look like correct but i am able to find out issue. Regards Satish

Re: site to site vpn issue

ssharma — Wed, 19 Nov 2014 17:46:01 GMT

Hi Satish,

Run a continuous ping from behind the firewall. Check the session on the firewall :

show session all filter source <local ip> destination <peer ip>

You should see ping session, check if the interface are correct. Meaning it should ingress from your ethernet interface and must egress out tunnel interface. If that is correct, then run following :

> show vpn flow tunnel-id <tunnel-id> | match bytes

Run following commands multiple times, and check if the encap and decap packets/bytes are incrementing. Hope this helps. Thank you.

Re: site to site vpn issue

Satish — Wed, 19 Nov 2014 17:48:36 GMT

Hi Dud.., Let me check and get back to you. Regards Satish

Re: site to site vpn issue

ssharma — Wed, 19 Nov 2014 19:09:40 GMT

Hi Satish ,

Can you check Nat Traversal under Network - > IKE Gateway -> Nat Traversal, commit the changes and see if that makes any difference. Thank you.

Re: site to site vpn issue

tasonibare — Wed, 19 Nov 2014 21:44:00 GMT

Hey Satish,

TO add to Samir's comment, if the encaps are incrementing but the decaps remain at 0 in the > show vpn flow tunnel-id <tunnel-id> command, then it might be an issue with the zones associated with actual tunnel traffic.

To understand this better, if the interface configured for IKE Gateway is Ethernet1/1 in the UNTRUST zone but the ESP packets actually travel in and out the firewall through Ethernet1/10 in the WAN zone, then that configuration would not work.

Both interfaces would need to be in the same zone for the tunnel to successfully forward traffic.

See VPN Tunnel Traffic Encapsulation Incrementing but no Decaps for more details on this issue.

Regards,

tasonibare

Re: site to site vpn issue

Satish — Mon, 24 Nov 2014 09:37:30 GMT

Hi Friends

After reviewing the configuration bye Tech Team gentleman (Rafal). he suggested to get rid of the firewall SNATing and DNATing traffic originated or targeted to firewall and put the public IP directly on the loopback interface. This greatly simplifies the configuration and I can be causing IPSEC issues. After we've committed the change both proxy ids came up properly and traffic was passing on both of them. Thanks Refal

Regards

Satish