https://live.paloaltonetworks.com/t5/general-topics/pa1420-ike-packet-disappear-between-receive-ingress-and-firewall/m-p/1249365#M126083 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/23308">@LJenne</a>&nbsp;,</P> <P>&nbsp;</P> <P data-end="379" data-start="164">Which panos are you running? <BR /><BR />Based on what you shared, it looks like you’ve already covered the right troubleshooting steps (session lookup, dataplane capture stages, verifying ISP connectivity), so you’re definitely looking in the right areas</P> <P data-end="379" data-start="164">.</P> <P data-end="669" data-start="328">Packets showing up in rx but never reaching the fw stage, and not appearing in drop, makes me suspect something may be hiccuping in the dataplane processing stage. Since the issue cleared after rebooting the cluster, that makes me think even more of being state-related vs a config issue.</P> <P data-end="669" data-start="328">&nbsp;</P> <P data-is-only-node="" data-is-last-node="" data-end="1012" data-start="671">In this situation I’d recommend opening a TAC case, especially given the previous UDP drop issue you referenced. If it happens again, collecting a tech support file, dataplane pcaps, global counters, and timestamps while the issue is active will give TAC the best chance of identifying where the packets are being dropped internally.</P> <P data-is-only-node="" data-is-last-node="" data-end="1012" data-start="671">&nbsp;</P> <P data-is-only-node="" data-is-last-node="" data-end="1012" data-start="671">Please keep us updated as your case progresses!&nbsp;</P> Wed, 04 Mar 2026 03:07:54 GMT JayGolf 2026-03-04T03:07:54Z https://live.paloaltonetworks.com/t5/general-topics/pa1420-ike-packet-disappear-between-receive-ingress-and-firewall/m-p/1249126#M126067 <P>Hi,</P> <P>&nbsp;</P> <P>we have an PA-1420 Active/Passive HA-Cluster. Behind that Cluster we also use a Cisco FirePower 1150 as our VPN-Gateway, so IKE traffic (udp-500 and udp-4500) is passing our PA-1420. Our PA-1420 has to ISP connections for failover, both are dedicated interfaces eth1/1 ISP1 (primary) and eth1/2 ISP2 (backup).</P> <P>Our VPN-Tunnels on the Cisco FirePower are configured with failover, so if ISP1 is down, the VPN-Gateways doing failover for their VPN-Tunnels over ISP2.</P> <P>We installed and configured the PA-1420 Cluster about half a year ago. When switching to the new PA-1420 from our old PA-3220 we got issues with our VPN-Tunnels that did not work any more. We figured out that we were running in the "firewall starts to drop UDP packets bug" mentioned here:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0&amp;" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0&amp;</A></P> <P>Our solution was to reboot both firewalls at the same time. After that the VPN-Tunnel came up and everything worked fine since yesterday.</P> <P>Yesterday suddenly nearly all our VPN-Tunnels lost connection over ISP1 and switched their tunnels to ISP2 (backup). Everything else (internet proxy, client-vpn-connections, public webservers) was still working over ISP1, so there was no ISP issue. The switched VPN-Tunnels over ISP2 were working without any problems.</P> <P><SPAN><SPAN class="richTextArea slds-text-longform tile__title red-txt">We could not see any IKE sessions over ISP1 in our Traffic or unified logs altough we log them on session start.</SPAN></SPAN></P> <P><SPAN><SPAN class="richTextArea slds-text-longform tile__title red-txt">The command "show session all filter source &lt;&lt;public-ip-isp1&gt;&gt; destination &lt;&lt;public-ip-vpn-gateway-partner&gt;&gt; did show an active session between the 2 public ip addresses for the IKE protocol.</SPAN></SPAN></P> <P>We then took some packet captures on the PA-1420 and figured out, that the IKE packets to the public ip address of ISP1 were visible at the packet capture stage "receive".</P> <P>At the stage "firewall" they seem to disappear and never show up. But this time, they were also not visible at the stage "drop" (in contrast to the problem we had half a year ago, were the drops were visible at the "drop stage"). Also this time we did not have any sessions in "discard state" as mentioned in the KB article above.</P> <P>We have tried a few things but only the reboot of the whole firewall-cluster at the same time helped to resolve the problem and got the VPN-Tunnel over ISP1 (eth1/1) back to work.</P> <P>Did anybody else have any similar problems? For us it seemed that the problem only appeared on interface eth1/1 for ISP1.&nbsp;This behaviour did not feel good to us because we did not see any issues in the pcaps except that the packets completely disappeared. We did not do any change to our zone protection settings.</P> <P>&nbsp;</P> <P>Do you recommend to open a case with Palo Alto? Our fear is, that this problem will come back again and rebooting the whole palo alto cluster at office times is a big problem for us.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Lukas</P> Fri, 27 Feb 2026 10:59:08 GMT https://live.paloaltonetworks.com/t5/general-topics/pa1420-ike-packet-disappear-between-receive-ingress-and-firewall/m-p/1249126#M126067 LJenne 2026-02-27T10:59:08Z https://live.paloaltonetworks.com/t5/general-topics/pa1420-ike-packet-disappear-between-receive-ingress-and-firewall/m-p/1249365#M126083 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/23308">@LJenne</a>&nbsp;,</P> <P>&nbsp;</P> <P data-end="379" data-start="164">Which panos are you running? <BR /><BR />Based on what you shared, it looks like you’ve already covered the right troubleshooting steps (session lookup, dataplane capture stages, verifying ISP connectivity), so you’re definitely looking in the right areas</P> <P data-end="379" data-start="164">.</P> <P data-end="669" data-start="328">Packets showing up in rx but never reaching the fw stage, and not appearing in drop, makes me suspect something may be hiccuping in the dataplane processing stage. Since the issue cleared after rebooting the cluster, that makes me think even more of being state-related vs a config issue.</P> <P data-end="669" data-start="328">&nbsp;</P> <P data-is-only-node="" data-is-last-node="" data-end="1012" data-start="671">In this situation I’d recommend opening a TAC case, especially given the previous UDP drop issue you referenced. If it happens again, collecting a tech support file, dataplane pcaps, global counters, and timestamps while the issue is active will give TAC the best chance of identifying where the packets are being dropped internally.</P> <P data-is-only-node="" data-is-last-node="" data-end="1012" data-start="671">&nbsp;</P> <P data-is-only-node="" data-is-last-node="" data-end="1012" data-start="671">Please keep us updated as your case progresses!&nbsp;</P> Wed, 04 Mar 2026 03:07:54 GMT https://live.paloaltonetworks.com/t5/general-topics/pa1420-ike-packet-disappear-between-receive-ingress-and-firewall/m-p/1249365#M126083 JayGolf 2026-03-04T03:07:54Z