https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/226665#M65250 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;thank you for the reply,</P><P>&nbsp;</P><P>Yes I'm log the interzone, in day to day basic I don't have policy to allow DMZ accessing the VPN tunnel (the opposite direction) so when I trying to ping I see it denies on the interzone-default rule.</P><P>&nbsp;</P><P>That's why for testing the return routing I created new policy allowing DMZ to access VPN tunnel for PING/ICMP and then suddenly the opposite way, VPN tunnel to DMZ started to work.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;&nbsp;</P><P>&nbsp;</P> Thu, 09 Aug 2018 22:34:18 GMT SShnap 2018-08-09T22:34:18Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/226523#M65212 <P>I have realy weired issue,&nbsp;</P><P>&nbsp;</P><P>I have two sites connected with IPSEC vpn, PAVM200 to PA3020.</P><P>&nbsp;</P><P>the sites are connected with IPSEC very stable vpn, remote site trying to access DMZ zone on the local site.</P><P>The routing confiured and policy rule allowing the access from VPN to DMZ.</P><P>&nbsp;</P><P>everything works fine and I was able to see the traffic,</P><P>suddenly after the VPN drop and esteblish the connection again the remote site users can only access the local site network but no DMZ zone on local site.</P><P>&nbsp;</P><P>on the logs for the remote site I see the traffic egress to the right tunnel without reply, on the local site I don't see the traffic is coming.</P><P>&nbsp;</P><P>On last try I was creating new policy rule for DMZ to remote site network for checking the reply routing and suddenly everything come back to normal and working even after I disalbe the new policy rule.</P><P>&nbsp;</P><P>Now after 5 months that it's working the VPN dropped again and once again I needed to create that new policy for bring everything to work again, very weired.&nbsp;&nbsp;</P><P>&nbsp;</P><P>any suggestion what to check?</P><P>&nbsp;</P><P>Thank you for the help.</P> Wed, 08 Aug 2018 22:09:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/226523#M65212 SShnap 2018-08-08T22:09:09Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/226656#M65242 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a>,</P><P>Do you log the interzone default rule so that you can see if the policy is getting denied in the logs? It would be very odd to see this happen unless for some reason the security policy that was matching this traffic for some reason no longer matched the traffic as it should. (Either changes on the Local or Remote end; or the XML getting corrupt following changes or upgrades).&nbsp;</P> Thu, 09 Aug 2018 19:58:57 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/226656#M65242 BPry 2018-08-09T19:58:57Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/226665#M65250 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;thank you for the reply,</P><P>&nbsp;</P><P>Yes I'm log the interzone, in day to day basic I don't have policy to allow DMZ accessing the VPN tunnel (the opposite direction) so when I trying to ping I see it denies on the interzone-default rule.</P><P>&nbsp;</P><P>That's why for testing the return routing I created new policy allowing DMZ to access VPN tunnel for PING/ICMP and then suddenly the opposite way, VPN tunnel to DMZ started to work.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;&nbsp;</P><P>&nbsp;</P> Thu, 09 Aug 2018 22:34:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/226665#M65250 SShnap 2018-08-09T22:34:18Z