https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-pa-and-mikrotik/m-p/41800#M30755 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>I have new tas - make VPN s2s between PA200 and Mikrotik router.</P><P>PA&nbsp; (PA 200 on 6.1.4) has Advanced phase mode 1 optios set to AUTO and "anable passive mode" not checked</P><P>Mikrotik (751U-2HnD with latest 6.30 router OS) is in aggressive mode.</P><P></P><P>It's quite simple task, few policy rules on PA and on Mikrotik side. Configuration similar to PA&lt;&gt;Cisco.</P><P></P><P>I got strange resoults, everything seems to be OK.usually tunnel is working, hosts on both sides could ping each other, but ...</P><P>sometimes doesn't.</P><P></P><P>example 1:</P><P><IMG __jive_id="20330" alt="2015-07-13_215823.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/20330_2015-07-13_215823.png" style="height: 317px; width: 620px;" /></P><P>I'm able to ping from A side to B, but not from B to A (packed rejected)</P><P></P><P>example 2</P><P>Side A pinging side B, ping from B to A doesnt working UNTIL I stopped ping from A to B</P><P><IMG __jive_id="20331" alt="2015-07-13_215844.png" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/20331_2015-07-13_215844.png" style="height: 315px; width: 620px;" /></P><P>example 3</P><P>Mikrotik shows Installes SAs:</P><P><IMG __jive_id="20332" alt="2015-07-13_215945.png" class="jive-image image-2" src="https://live.paloaltonetworks.com/legacyfs/online/20332_2015-07-13_215945.png" style="height: 119px; width: 620px;" /></P><P></P><P>Is it normal that on PA side Auth is none and Enc Algoritms is none?</P><P></P><P>Has anyone any idea whats going on?</P><P></P><P>At the moment (about 5min later than I created screenshots above) Ping from B to A started working - is it kind of mystery or what?</P><P></P><P>Help me please</P></BODY></HTML> Mon, 13 Jul 2015 20:18:19 GMT _slv_ 2015-07-13T20:18:19Z https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-pa-and-mikrotik/m-p/41800#M30755 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>I have new tas - make VPN s2s between PA200 and Mikrotik router.</P><P>PA&nbsp; (PA 200 on 6.1.4) has Advanced phase mode 1 optios set to AUTO and "anable passive mode" not checked</P><P>Mikrotik (751U-2HnD with latest 6.30 router OS) is in aggressive mode.</P><P></P><P>It's quite simple task, few policy rules on PA and on Mikrotik side. Configuration similar to PA&lt;&gt;Cisco.</P><P></P><P>I got strange resoults, everything seems to be OK.usually tunnel is working, hosts on both sides could ping each other, but ...</P><P>sometimes doesn't.</P><P></P><P>example 1:</P><P><IMG __jive_id="20330" alt="2015-07-13_215823.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/20330_2015-07-13_215823.png" style="height: 317px; width: 620px;" /></P><P>I'm able to ping from A side to B, but not from B to A (packed rejected)</P><P></P><P>example 2</P><P>Side A pinging side B, ping from B to A doesnt working UNTIL I stopped ping from A to B</P><P><IMG __jive_id="20331" alt="2015-07-13_215844.png" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/20331_2015-07-13_215844.png" style="height: 315px; width: 620px;" /></P><P>example 3</P><P>Mikrotik shows Installes SAs:</P><P><IMG __jive_id="20332" alt="2015-07-13_215945.png" class="jive-image image-2" src="https://live.paloaltonetworks.com/legacyfs/online/20332_2015-07-13_215945.png" style="height: 119px; width: 620px;" /></P><P></P><P>Is it normal that on PA side Auth is none and Enc Algoritms is none?</P><P></P><P>Has anyone any idea whats going on?</P><P></P><P>At the moment (about 5min later than I created screenshots above) Ping from B to A started working - is it kind of mystery or what?</P><P></P><P>Help me please</P></BODY></HTML> Mon, 13 Jul 2015 20:18:19 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-pa-and-mikrotik/m-p/41800#M30755 _slv_ 2015-07-13T20:18:19Z https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-pa-and-mikrotik/m-p/41801#M30756 <HTML><HEAD></HEAD><BODY><P>Hello</P><P>In daily report I got:</P><P>Device SN Virtual System Rule Bytes Sessions</P><P>001606004XXX vsys1 VPN-s2s-local-networks 1021.08 M 129.84 k</P><P>It's mean that security rule that allowing traffic between A and B&nbsp; transfered ~1GB and generates 130000 sessions. Thats pretty much sessions - why?</P><P>I used TotalCommander to upload and download 2,4GB ISO files, so I genereated more than 5GB traffic I think.</P><P></P><P>Second problem, using ping from A to B gateway I got aroung 10-17% loss of ping packet - is it&nbsp; normal?</P><P></P><P></P><P>Regards</P><P>Slawek</P></BODY></HTML> Tue, 14 Jul 2015 06:13:30 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-s2s-pa-and-mikrotik/m-p/41801#M30756 _slv_ 2015-07-14T06:13:30Z