https://live.paloaltonetworks.com/t5/general-topics/cisco-guest-mobility-anchor-controller-tunnels-are-down-when/m-p/221136#M63721 Hi All,<BR /><BR />The issue was that the vlans were not allowed in the virtual wire. Once I allowed the vlans everything worked fine. Thanks for the valuable replies guys.<BR /><BR /> Mon, 09 Jul 2018 07:24:04 GMT shabeeb 2018-07-09T07:24:04Z https://live.paloaltonetworks.com/t5/general-topics/cisco-guest-mobility-anchor-controller-tunnels-are-down-when/m-p/220023#M63489 <P>Hi,</P><P>&nbsp;</P><P>I have a pair of Cisco controllers setup as mobility anchor controllers,&nbsp; which will basically initiate EoIP tunnel between them. Recently we have placed a Palo Alto 5250 firewalls between the controllers through virtual wire interfaces. The physical connectivity is as follows</P><P>&nbsp;</P><P>Cisco Controller 1 ----&gt; Palo Alto VWire-IN -------&gt; Palo Alto VWire-Out -----&gt; Cisco Controller 2</P><P>&nbsp;</P><P>The issue is that after placing the Palo Alto firewall , the tunnel between the controllers is not coming up. I have all allowed the traffic in both directions. There is no rule blocking the traffic. Please let me know if anyone had the similar issue.</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>Shabeeb</P> Sun, 01 Jul 2018 07:35:17 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-guest-mobility-anchor-controller-tunnels-are-down-when/m-p/220023#M63489 shabeeb 2018-07-01T07:35:17Z https://live.paloaltonetworks.com/t5/general-topics/cisco-guest-mobility-anchor-controller-tunnels-are-down-when/m-p/220208#M63542 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75862">@shabeeb</a>,</P><P>I would wireshark both ends and look and see if the Palo is manipulating the packets in some way. That's about the only thing I can think of that would be breaking this.&nbsp;</P><P>&nbsp;</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/31426">@tac.in</a>&nbsp;makes a really good point; you are allowing the traffic with service and application set to 'any' right? I always assume that in a v-wire configuration that is how the rule is built, however that is sometimes something that people can run into.&nbsp;</P> Tue, 03 Jul 2018 18:28:30 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-guest-mobility-anchor-controller-tunnels-are-down-when/m-p/220208#M63542 BPry 2018-07-03T18:28:30Z https://live.paloaltonetworks.com/t5/general-topics/cisco-guest-mobility-anchor-controller-tunnels-are-down-when/m-p/220323#M63566 <P>Hi Shabeeb,</P><P>&nbsp;</P><P>Please try changing service from application-defaults to any. The tunnel might be on other ports other than default ports .</P> Tue, 03 Jul 2018 09:47:51 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-guest-mobility-anchor-controller-tunnels-are-down-when/m-p/220323#M63566 tac.in 2018-07-03T09:47:51Z https://live.paloaltonetworks.com/t5/general-topics/cisco-guest-mobility-anchor-controller-tunnels-are-down-when/m-p/221136#M63721 Hi All,<BR /><BR />The issue was that the vlans were not allowed in the virtual wire. Once I allowed the vlans everything worked fine. Thanks for the valuable replies guys.<BR /><BR /> Mon, 09 Jul 2018 07:24:04 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-guest-mobility-anchor-controller-tunnels-are-down-when/m-p/221136#M63721 shabeeb 2018-07-09T07:24:04Z