topic Re: ipsec vpn issue in General Topics

ipsec vpn issue

Javith — Wed, 09 Jul 2014 18:41:37 GMT

I configured ipsec vpn with palo alto to checkpoint.

pinging isp:

local/external ip(182.x.x.x) to peer ip(102.x.x.x) ping successful.

pinging local network to peer ip:

local pc(10.10.10.x) to peer ip(102.x.x.x) ping unsuccessful..tracert confirm drops on internet..ike not established(verified by show vpn ike-sa gateway)..following vpn troubleshooting doc.

ping 10.100.100.x(remote ip) from fw cli

ping remote pc (10.100.100.x) and pinging peer ip from firewall cli successful..but prblm is it doesn't take external ip(182.x.x.x) route..it takes another route(customer says vpn is connected to other fw too)

so fw takes that routes and successfully pings remote ip

then i put this command:

ping source 182.x.x.x host 102.x..x.x ->successful

ping source 182.x.x.x host 10.100.100.x->unsuccessful..

after going to system logs->it shows ike phase 1 aborted msg and sometimes both phase 1 and phase 2 succeeded logs..but ipsec tunnel is not showing up.

Can i tell customer to disconnect same vpn connection which is using another route to reach remote ip successfully(directly connected i think) ??

Please suggest..

Re: ipsec vpn issue

HULK — Wed, 09 Jul 2014 19:32:59 GMT

Hello Javith,

The IPSec tunnel is basically for user traffic coming from local Private subnet (10.10.10.x) to the remote private subnet (10.100.100.x). So, are you able to ping from source 10.10.10.x to destination 10.100.100.x..? Also, if you want to initiate from your external interface IP, then it should be mentioned on the proxy ID's (appropriate local and remote IP's).

Thanks

Re: ipsec vpn issue

pulukas — Thu, 10 Jul 2014 15:14:05 GMT

Can you check the phase 1 and phase 2 status and see if the tunnel is up and not passing traffic or not coming up at all.

This document shows how to confirm the status.

How to Troubleshoot VPN Connectivity Issues