topic Re: Issues with ipsec traffic from PA3020 to Cisco 871. in General Topics

Issues with ipsec traffic from PA3020 to Cisco 871.

inderjit21 — Wed, 29 Mar 2017 04:56:02 GMT

I have a working tunnel between Netscreen and Cisco 871. I tried to move this from Netscreen to PA3020.

The tunnel comes up. PA3020-local network-192.168.2.0/24 and remote-192.168.235.0/24.

Traffic from 2.0(palo side) to 235.0(cisco side) network is fine. But from 235.0(cisco side) to 2.0(palo side) we have issues

Only thing which works is ping. rdp,mail,port80 nothing works. The tunnel is part of trust with 2.0 in trust as well. All trust intrazone is allowed and I can see logs allowing. all interface mtu is 1500. Tried adjusting mtu to different setting 1350,1418 but still doesnt work. Reverted the tunnel to netscreen and works fine. On netscreen its policy based and no tunnel is involved so

cant check mtu.

Re: Issues with ipsec traffic from PA3020 to Cisco 871.

santonic — Wed, 29 Mar 2017 06:08:08 GMT

If ping is working but TCP sessions aren't it could be asymmetric routing issue. Check routing and ingress/egress interfaces in logs.

And i'd suggest using different security zone for VPN traffic.

Re: Issues with ipsec traffic from PA3020 to Cisco 871.

inderjit21 — Wed, 29 Mar 2017 09:52:59 GMT

I have migrated tunnel which is working in the same setup. Its not a routing but mtu or mss adjust setup.

On netscreen I have set flow tcp-mss does that mean i will need to enable adjust mss on external interface.