https://live.paloaltonetworks.com/t5/general-topics/nat-t-not-enabled-on-vpn-tunnel-has-impact-on-other-tunnels/m-p/207295#M60779 <P>Hi,</P><P>&nbsp;</P><P>Sorry I think a bit more clarity is required.</P><P>&nbsp;</P><P>If NAT-T is required, but not enabled, the ipsec/phase2 should not stand up at all and your users wouldn't be able to get at anything (not simply RDP). NAT-T should impact the establishment of your new tunnels, I don't see how (short of a very unusual bug) that it would affect encap traffic inside another tunnel.</P><P>&nbsp;</P><OL><LI>Did the new tunnels fully establish?</LI><LI>Could users access services over the new tunnel?</LI><LI>Were services other than RDP affected on the other (historical) tunnels?</LI><LI>Have you done a config audit and compared the last known working config, to the new config to verify that&nbsp;that&nbsp;was the only change?</LI><LI>Are all your tunnels using static peer IP addressing, or are some of them configured as dynamic?</LI></OL><P>&nbsp;</P><P>Thanks,</P><P>Shannon</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 25 Mar 2018 20:55:47 GMT SARowe_NZ 2018-03-25T20:55:47Z https://live.paloaltonetworks.com/t5/general-topics/nat-t-not-enabled-on-vpn-tunnel-has-impact-on-other-tunnels/m-p/207092#M60747 <P><BR />i just had a weird behavior. i have several ipsec tunnels for clients using the ncp secure entry client.<BR /><BR />they all have tunnels configured with certificates and a dynamic peer ip. yesterday i created two new tunnels but forgot to check the nat-t checkbox. and some of the users couldn't get a connection via rdp. my understanding was that it shouldn't impact other vpn tunnels as they established the connection to the correct tunnel with nat-t enabled. i don't know if its really the nat-t checkbox but it was the only difference to the other tunnels i configured.<BR /><BR />pan os version is 8.0.5 and app version is 793-4594.<BR /><BR /><BR />is this a design failure?</P> Fri, 23 Mar 2018 08:45:00 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-t-not-enabled-on-vpn-tunnel-has-impact-on-other-tunnels/m-p/207092#M60747 VARNObit 2018-03-23T08:45:00Z https://live.paloaltonetworks.com/t5/general-topics/nat-t-not-enabled-on-vpn-tunnel-has-impact-on-other-tunnels/m-p/207295#M60779 <P>Hi,</P><P>&nbsp;</P><P>Sorry I think a bit more clarity is required.</P><P>&nbsp;</P><P>If NAT-T is required, but not enabled, the ipsec/phase2 should not stand up at all and your users wouldn't be able to get at anything (not simply RDP). NAT-T should impact the establishment of your new tunnels, I don't see how (short of a very unusual bug) that it would affect encap traffic inside another tunnel.</P><P>&nbsp;</P><OL><LI>Did the new tunnels fully establish?</LI><LI>Could users access services over the new tunnel?</LI><LI>Were services other than RDP affected on the other (historical) tunnels?</LI><LI>Have you done a config audit and compared the last known working config, to the new config to verify that&nbsp;that&nbsp;was the only change?</LI><LI>Are all your tunnels using static peer IP addressing, or are some of them configured as dynamic?</LI></OL><P>&nbsp;</P><P>Thanks,</P><P>Shannon</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 25 Mar 2018 20:55:47 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-t-not-enabled-on-vpn-tunnel-has-impact-on-other-tunnels/m-p/207295#M60779 SARowe_NZ 2018-03-25T20:55:47Z https://live.paloaltonetworks.com/t5/general-topics/nat-t-not-enabled-on-vpn-tunnel-has-impact-on-other-tunnels/m-p/207325#M60785 <P>Hi Shannon,</P><P>&nbsp;</P><P>thank you for your help.</P><P>&nbsp;</P><P>to answer your questions.</P><P>&nbsp;</P><P>1. i could not test the new tunnels, because i was not at customers side and i can not use the ncp client anymore (have no license)</P><P>2. could also not be tested</P><P>3. yes even a ping does'nt go through the tunnel. But there were other tunnels that were not affected and worked properly.</P><P>4. i compared the configuration of other tunnels to the new tunnels and this was the only difference. as soon as i disabled the new tunnels everything worked just fine again.</P><P>5. the tunnels using ncp as client are all dynamic</P><P>&nbsp;</P><P>&nbsp;Kind Regards,</P><P>&nbsp;</P><P>Gregor</P> Mon, 26 Mar 2018 06:15:59 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-t-not-enabled-on-vpn-tunnel-has-impact-on-other-tunnels/m-p/207325#M60785 VARNObit 2018-03-26T06:15:59Z