https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43647#M32024 <HTML><HEAD></HEAD><BODY><P>Thanks Hulk, </P><P></P><P>See below for output</P><P></P><P>admin@PA-VM&gt; show vpn flow</P><P></P><P></P><P>total tunnels configured:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>filter - type IPSec, state any</P><P></P><P></P><P>total IPSec tunnel configured:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>total IPSec tunnel shown:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P></P><P></P><P>id&nbsp;&nbsp;&nbsp; name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local-ip&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; peer-ip&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel-i/f</P><P>-----------------------------------------------------------------------------------------------</P><P>7&nbsp;&nbsp;&nbsp;&nbsp; Citec_IPSEC:networks&nbsp; active&nbsp;&nbsp;&nbsp;&nbsp; off&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.2&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.100&nbsp;&nbsp; tunnel.1</P><P>9&nbsp;&nbsp;&nbsp;&nbsp; Citec_IPSEC:networks2 init&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; off&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.2&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.100&nbsp;&nbsp; tunnel.1</P><P></P><P></P><P>admin@PA-VM&gt;</P><P>admin@PA-VM&gt; show vpn flow tunnel-id 7</P><P></P><P></P><P>tunnel&nbsp; Citec_IPSEC:networks</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; id:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IPSec</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; gateway id:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; peer ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.100</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inner interface:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel.1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; outer interface:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ethernet1/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; active</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 107</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel mtu:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1428</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lifetime remain:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3478 sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; latest rekey:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 122 seconds ago</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; off</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor packets seen:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor packets reply:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; en/decap context:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local spi:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 9183D0C8</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; remote spi:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; BA222D14</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto key</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; protocol:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ESP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auth algorithm:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SHA1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; enc&nbsp; algorithm:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AES128</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id local ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.1.0/24</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id remote ip:&nbsp;&nbsp;&nbsp;&nbsp; 172.16.2.0/24</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id protocol:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id local port:&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id remote port:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; anti replay check:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; yes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copy tos:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; authentication errors:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decryption errors:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inner packet warnings:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; replay packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; packets received</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; when lifetime expired:0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; when lifesize expired:0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sending sequence:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; receive sequence:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; encap packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decap packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; encap bytes:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decap bytes:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 544</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key acquire requests:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; owner state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; owner cpuid:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; s1dp0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ownership:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P></P><P></P><P>admin@PA-VM&gt; show vpn flow tunnel-id 9</P><P></P><P></P><P>tunnel&nbsp; Citec_IPSEC:networks2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; id:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 9</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IPSec</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; gateway id:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; peer ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.100</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inner interface:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel.1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; outer interface:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ethernet1/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; init</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel mtu:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1448</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lifetime remain:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N/A</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; off</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor packets seen:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor packets reply:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; en/decap context:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local spi:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 00000000</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; remote spi:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 00000000</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto key</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; protocol:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ESP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auth algorithm:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NOT ESTABLISHED</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; enc&nbsp; algorithm:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NOT ESTABLISHED</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id local ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.2.0/24</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id remote ip:&nbsp;&nbsp;&nbsp;&nbsp; 172.16.1.0/24</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id protocol:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id local port:&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id remote port:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; anti replay check:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; yes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copy tos:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; authentication errors:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decryption errors:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inner packet warnings:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; replay packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; packets received</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; when lifetime expired:0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; when lifesize expired:0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sending sequence:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; receive sequence:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; encap packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decap packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; encap bytes:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decap bytes:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key acquire requests:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; owner state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; owner cpuid:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; s1dp0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ownership:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P></P><P></P><P>admin@PA-VM&gt;</P></BODY></HTML> Wed, 17 Dec 2014 11:38:12 GMT netsupport1 2014-12-17T11:38:12Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43645#M32022 <HTML><HEAD></HEAD><BODY><P>Hi guys,</P><P></P><P>I'm doing a POC for S2S VPN but i cannot get it to work, I'm sure this is a simple thing i have overlooked, a ping from PC2 to PC1, the ping is encapsulated and encrypted ESP on the way over to PC1, but the return traffic is not..... i have the following topology;</P><P><IMG alt="11.png" class="jive-image image-12" src="https://live.paloaltonetworks.com/legacyfs/online/17336_11.png" style="height: auto;" /></P><P></P><P>Now i have set up a site to site VPN from the PA to R2 with the following attributes;</P><P><IMG alt="1.png" class="jive-image image-2" src="https://live.paloaltonetworks.com/legacyfs/online/17326_1.png" style="height: 287px; width: 620px;" /></P><P><IMG alt="2.png" class="jive-image image-3" src="https://live.paloaltonetworks.com/legacyfs/online/17327_2.png" style="height: 333px; width: 620px;" /></P><P><IMG alt="3.png" class="jive-image image-4" src="https://live.paloaltonetworks.com/legacyfs/online/17328_3.png" style="height: auto;" /></P><P><IMG alt="4.png" class="jive-image image-5" src="https://live.paloaltonetworks.com/legacyfs/online/17329_4.png" style="height: auto;" /></P><P><IMG alt="5.png" class="jive-image image-6" src="https://live.paloaltonetworks.com/legacyfs/online/17330_5.png" style="height: 384px; width: 620px;" /></P><P></P><P><IMG alt="6.png" class="jive-image image-7" src="https://live.paloaltonetworks.com/legacyfs/online/17331_6.png" style="height: 361px; width: 620px;" /></P><P>And with a ping from PC2 to PC1, IKE phase 1 and 2 come up.....but the ping fails</P><P><IMG alt="7.png" class="jive-image image-8" src="https://live.paloaltonetworks.com/legacyfs/online/17332_7.png" style="height: 35px; width: 620px;" /></P><P><IMG alt="8.png" class="jive-image image-9" src="https://live.paloaltonetworks.com/legacyfs/online/17333_8.png" style="height: 118px; width: 620px;" /></P><P><IMG alt="10.png" class="jive-image image-11" src="https://live.paloaltonetworks.com/legacyfs/online/17335_10.png" style="height: 142px; width: 620px;" /></P><P></P><P><IMG alt="9.png" class="image-10 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/17334_9.png" style="font-size: 10pt; line-height: 1.5em; height: 188px; width: 620px;" /></P><P><IMG alt="12.png" class="image-13 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/17337_12.png" style="height: 389px; width: 620px;" /></P><P><IMG alt="13.png" class="image-14 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/17338_13.png" style="height: 391px; width: 620px;" /></P><P></P><P>And the capture of the ping....outbound ESP, return traffic ICMP...</P><P></P><P><IMG alt="14.png" class="image-15 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/17339_14.png" style="height: 80px; width: 620px;" /></P><P>Confi on the Cisco router;</P><P></P><P>!</P><P>crypto isakmp policy 1</P><P> encr aes</P><P> authentication pre-share</P><P> group 2</P><P> lifetime 3600</P><P>crypto isakmp key cisco address 192.168.3.2</P><P>!</P><P>!</P><P>crypto ipsec transform-set Myset esp-aes esp-sha-hmac</P><P>!</P><P>crypto map Mymap 1 ipsec-isakmp</P><P> set peer 192.168.3.2</P><P> set transform-set Myset</P><P> match address 100</P><P>!</P><P>!</P><P>!</P><P>interface FastEthernet0/0</P><P> ip address 192.168.3.100 255.255.255.0</P><P> duplex auto</P><P> speed auto</P><P> crypto map Mymap</P><P>!</P><P>!</P><P>access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255</P><P>access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.1.0 0.0.0.255</P><P>!</P><P></P><P>Any ideas guys?</P></BODY></HTML> Wed, 17 Dec 2014 05:19:37 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43645#M32022 netsupport1 2014-12-17T05:19:37Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43646#M32023 <HTML><HEAD></HEAD><BODY><P>Hello netsupport1,</P><P></P><P>Could you please verify the VPN flow to ensure the encapand decappackets on this firewall. If only encap counter is increasing, but not the decap.Then you might need to check the other end of the VPN tunnel.</P><P></P><P>&gt;showvpnflow</P><P>&gt;showvpnflow tunnel-id x&nbsp; &lt;&lt; where x=id number from above display</P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 17 Dec 2014 06:13:06 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43646#M32023 HULK 2014-12-17T06:13:06Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43647#M32024 <HTML><HEAD></HEAD><BODY><P>Thanks Hulk, </P><P></P><P>See below for output</P><P></P><P>admin@PA-VM&gt; show vpn flow</P><P></P><P></P><P>total tunnels configured:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>filter - type IPSec, state any</P><P></P><P></P><P>total IPSec tunnel configured:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>total IPSec tunnel shown:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P></P><P></P><P>id&nbsp;&nbsp;&nbsp; name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local-ip&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; peer-ip&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel-i/f</P><P>-----------------------------------------------------------------------------------------------</P><P>7&nbsp;&nbsp;&nbsp;&nbsp; Citec_IPSEC:networks&nbsp; active&nbsp;&nbsp;&nbsp;&nbsp; off&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.2&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.100&nbsp;&nbsp; tunnel.1</P><P>9&nbsp;&nbsp;&nbsp;&nbsp; Citec_IPSEC:networks2 init&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; off&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.2&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.100&nbsp;&nbsp; tunnel.1</P><P></P><P></P><P>admin@PA-VM&gt;</P><P>admin@PA-VM&gt; show vpn flow tunnel-id 7</P><P></P><P></P><P>tunnel&nbsp; Citec_IPSEC:networks</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; id:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IPSec</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; gateway id:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; peer ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.100</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inner interface:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel.1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; outer interface:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ethernet1/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; active</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 107</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel mtu:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1428</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lifetime remain:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3478 sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; latest rekey:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 122 seconds ago</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; off</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor packets seen:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor packets reply:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; en/decap context:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local spi:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 9183D0C8</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; remote spi:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; BA222D14</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto key</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; protocol:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ESP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auth algorithm:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SHA1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; enc&nbsp; algorithm:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AES128</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id local ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.1.0/24</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id remote ip:&nbsp;&nbsp;&nbsp;&nbsp; 172.16.2.0/24</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id protocol:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id local port:&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id remote port:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; anti replay check:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; yes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copy tos:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; authentication errors:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decryption errors:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inner packet warnings:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; replay packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; packets received</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; when lifetime expired:0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; when lifesize expired:0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sending sequence:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; receive sequence:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; encap packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decap packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; encap bytes:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decap bytes:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 544</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key acquire requests:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; owner state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; owner cpuid:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; s1dp0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ownership:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P></P><P></P><P>admin@PA-VM&gt; show vpn flow tunnel-id 9</P><P></P><P></P><P>tunnel&nbsp; Citec_IPSEC:networks2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; id:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 9</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IPSec</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; gateway id:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; peer ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.3.100</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inner interface:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel.1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; outer interface:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ethernet1/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; init</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel mtu:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1448</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lifetime remain:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N/A</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; off</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor packets seen:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; monitor packets reply:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; en/decap context:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; local spi:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 00000000</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; remote spi:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 00000000</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto key</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; protocol:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ESP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auth algorithm:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NOT ESTABLISHED</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; enc&nbsp; algorithm:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NOT ESTABLISHED</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id local ip:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.16.2.0/24</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id remote ip:&nbsp;&nbsp;&nbsp;&nbsp; 172.16.1.0/24</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id protocol:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id local port:&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proxy-id remote port:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; anti replay check:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; yes</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copy tos:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; authentication errors:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decryption errors:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inner packet warnings:&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; replay packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; packets received</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; when lifetime expired:0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; when lifesize expired:0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sending sequence:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; receive sequence:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; encap packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decap packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; encap bytes:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decap bytes:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key acquire requests:&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; owner state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; owner cpuid:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; s1dp0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ownership:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P><P></P><P></P><P>admin@PA-VM&gt;</P></BODY></HTML> Wed, 17 Dec 2014 11:38:12 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43647#M32024 netsupport1 2014-12-17T11:38:12Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43648#M32025 <HTML><HEAD></HEAD><BODY><P>Looks like you are decrypting packets but not encrypting packets.&nbsp; This means we need to look at your end.&nbsp; If packets are coming across that means the tunnel is built and configured properly.&nbsp; Usually this points to a Routing/ACL issue so we need to look at why your replys are not being sent into the tunnel.</P></BODY></HTML> Wed, 17 Dec 2014 13:57:42 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43648#M32025 Dz3015 2014-12-17T13:57:42Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43649#M32026 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Adding to what Hulk suggested, it is something with the routing table that I am worried about. I would like to know if the static route for the tunnel traffic is redistributed over OSPF. Can you please check the routing table on the PA to know if you are learning all the routes and are we taking the right static route to send and receive traffic through the defined tunnel interface. Probably the following command test routing fib-lookup ...... should help you know if we are forcing traffic on the static route defined. Also show routing route should give us the summary.</P><P></P><P>Please see if this track of investigation helps you.</P></BODY></HTML> Wed, 17 Dec 2014 15:33:04 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43649#M32026 smalayappan 2014-12-17T15:33:04Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43650#M32027 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This looks like configuration issue. You created static route for "172.16.2.0/24" pointing towards tunnel.1. However, you created tunnel between PA and R2 router. So you need to create static route for 172.16.1.0/24 and next hop as tunnel interface and redistribute this static route into OSPF. Also you need to remove the static route which configured for "172.16.2.0/24".</P><P></P><P>Regards,</P><P>P.Sarath </P></BODY></HTML> Wed, 17 Dec 2014 16:07:09 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43650#M32027 sbabu 2014-12-17T16:07:09Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43651#M32028 <HTML><HEAD></HEAD><BODY><P>Agreed, according to the drawing the wrong subnet is pointed at the tunnel.</P></BODY></HTML> Wed, 17 Dec 2014 16:57:43 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43651#M32028 Dz3015 2014-12-17T16:57:43Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43652#M32029 <HTML><HEAD></HEAD><BODY><P>Also I believe ACL configuration on the Cisco device is not correct. You mentioned same subnet in ACL source and destination.</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">"access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.1.0 0.0.0.255"</P><P></P><P>Regards,</P><P>P.Sarath</P></BODY></HTML> Wed, 17 Dec 2014 16:59:30 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43652#M32029 sbabu 2014-12-17T16:59:30Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43653#M32030 <HTML><HEAD></HEAD><BODY><P>So sorry guys, i documented the topo wrong, the two LAN subnets are swapped;</P><P><IMG alt="15.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/17341_15.png" style="height: auto;" /></P><P>So the static is correct i believe, 172.16.1.0/24 to tunnel .1</P><P></P><P>Thank you all so so much for your help thus far, sorry about the bum steer!</P><P></P><P>regards</P></BODY></HTML> Wed, 17 Dec 2014 22:28:59 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43653#M32030 netsupport1 2014-12-17T22:28:59Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43654#M32031 <HTML><HEAD></HEAD><BODY><P>So I think your problem is a typo in the ACL configured on the router. Make sure you have it like this:</P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Thanks,<BR /></SPAN></P></BODY></HTML> Wed, 17 Dec 2014 22:47:47 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43654#M32031 parmas 2014-12-17T22:47:47Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43655#M32032 <HTML><HEAD></HEAD><BODY><P>Ok so i have a confession to make, the hosts you see in the topo above aren't real, they are loopbacks, and i was sourcing pings from the loopback but it just wasn't working as stated, this morning i made them "real"" hosts and it all worked, i'm not 100% on why</P><P></P><P>I'm so thankful for your offered help, it's my first enquiry in this forum and i am impressed, being a Cisco guy i was a little doubtful that i would get a resolution ....wow! how wrong i was!</P><P></P><P>Thankyou all!!!!</P></BODY></HTML> Wed, 17 Dec 2014 23:14:09 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-palo-alto-to-cisco-router-issue/m-p/43655#M32032 netsupport1 2014-12-17T23:14:09Z