https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552864#M112454 <P>The routing is pointing to the tunnel interface, that should be fine.</P> <P>Can you provide the output for the below commands from both the firewalls (remember to remove confidential details such as IPs)<BR />&gt;&nbsp;show vpn ike-sa detail gateway &lt;gateway-name&gt;</P> <P>&gt;&nbsp;show vpn ipsec-sa tunnel &lt;tunnel-name&gt;</P> <P>&gt;&nbsp;show vpn flow tunnel-id &lt;tunnel-id-number&gt;</P> <P>&nbsp;</P> <P>Make sure the firewalls are allowing the user traffic.</P> <P>&nbsp;</P> Tue, 08 Aug 2023 03:58:40 GMT akuzhuppilly 2023-08-08T03:58:40Z https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552791#M112445 <P>Hi VPN is configured at two PA based on the below link and the two PA can ping each other, but the vpn cannot work. I tested it with below commands. Anyone can help to fix it? Thank you</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>admin@PA-VM&gt; test vpn ipsec-sa</P> <P>Start time: Aug.07 07:48:19<BR />Initiate 2 IPSec SA.</P> <P>admin@PA-VM&gt;<BR />admin@PA-VM&gt; show vpn ipsec-sa</P> <P>There is no IPSec SA found.</P> <P>admin@PA-VM&gt;<BR />admin@PA-VM&gt; show vpn ike-sa</P> <P>There is no IKEv1 phase-1 SA found.</P> <P>There is no IKEv1 phase-2 SA found.</P> <P><BR />IKEv2 SAs<BR />Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST<BR />---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- --<BR />2 10.2.0.1 IKE-Gateway123 Init 16 PSK/ / / 5 2 INIT sent</P> <P>IKEv2 IPSec Child SAs<BR />Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST<BR />------------ ---- ------ -- ------ ---- ------- -------- ----- --<BR />IKE-Gateway123 2 IPSec-Tunnel123 8 16 Init 00000000 00000000 00000000 GetSPI done<BR />00000000 00000000 00000000 GetSPI done</P> <P>Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.</P> <P>&nbsp;</P> Mon, 07 Aug 2023 14:53:17 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552791#M112445 kevinospf 2023-08-07T14:53:17Z https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552797#M112446 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/306700">@kevinospf</a>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>You can find more details about what is causing the failure in the system logs and the ikemgr logs (less mp-log ikemgr.log).</P> <P>The following KB might be helpful:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC" target="_new">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC</A></P> Mon, 07 Aug 2023 15:26:58 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552797#M112446 akuzhuppilly 2023-08-07T15:26:58Z https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552810#M112450 <P>Thanks for your reply!&nbsp;</P> <P>IPSect tunnel is up, but users behind PA cannot ping user in other side. I got the below result after entering command "show routing route"</P> <P>The nexthop is "0.0.0.0". I checked virtual router configuration. I did not find something wrong. Is this security issue or routing issue?</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kevinospf_0-1691434685393.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52579iFDB47229AA1461CF/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="kevinospf_0-1691434685393.png" alt="kevinospf_0-1691434685393.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 07 Aug 2023 19:00:31 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552810#M112450 kevinospf 2023-08-07T19:00:31Z https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552864#M112454 <P>The routing is pointing to the tunnel interface, that should be fine.</P> <P>Can you provide the output for the below commands from both the firewalls (remember to remove confidential details such as IPs)<BR />&gt;&nbsp;show vpn ike-sa detail gateway &lt;gateway-name&gt;</P> <P>&gt;&nbsp;show vpn ipsec-sa tunnel &lt;tunnel-name&gt;</P> <P>&gt;&nbsp;show vpn flow tunnel-id &lt;tunnel-id-number&gt;</P> <P>&nbsp;</P> <P>Make sure the firewalls are allowing the user traffic.</P> <P>&nbsp;</P> Tue, 08 Aug 2023 03:58:40 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552864#M112454 akuzhuppilly 2023-08-08T03:58:40Z https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552949#M112470 <P>the issue is resolved due to your question. Thanks for your questions</P> Tue, 08 Aug 2023 14:14:18 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-cannot-work-between-two-pa/m-p/552949#M112470 kevinospf 2023-08-08T14:14:18Z