https://live.paloaltonetworks.com/t5/general-topics/routing-traffic-from-branch-through-hq-to-vendor/m-p/234147#M67128 <P>So found I the problem, or "more of a design issue".</P><P>&nbsp;</P><P>The dynamic vpn setup on my branch side, is the issue to the vendor. I relized that when settting up a direct connection from branch to vendor. The vendor does not support Nat-T!!!! Doh!!!! Which is why I would see the out bound encaps but no decaps back on the HQ side.</P><P>&nbsp;</P><P>Back to the drawing board... Hopefully this stops someone form spinning their wheels</P> Fri, 05 Oct 2018 17:09:43 GMT k.truex 2018-10-05T17:09:43Z https://live.paloaltonetworks.com/t5/general-topics/routing-traffic-from-branch-through-hq-to-vendor/m-p/232745#M66770 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="example.jpg" style="width: 530px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16823i7CA9A91D26241E32/image-dimensions/530x324/is-moderation-mode/true?v=v2" width="530" height="324" role="button" title="example.jpg" alt="example.jpg" /></span></P><P>&nbsp;</P><P>Currently Im labing a situtation where I'll need to have branch users route to a vendor through HQ via IPsec tunnels. Users at my banch access can acesss Web/HQ services though the HQ firewall, but when accessing the vendor. Logs show from HQ the attempts to the vendor from the branch office. But nothing but incompletes/aged-out.&nbsp;</P><P>&nbsp;</P><P>From HQ, I do see active connections for&nbsp; phaseII for the branch/vendor connection but of course no encap/decaps.</P><P>&nbsp;</P><P>Also I&nbsp;do have redistrabution profiles for Branch and Vendor connections on the HQ firewall.</P><P>&nbsp;</P><P>Thoughts?&nbsp;</P> Thu, 27 Sep 2018 16:37:11 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-traffic-from-branch-through-hq-to-vendor/m-p/232745#M66770 k.truex 2018-09-27T16:37:11Z https://live.paloaltonetworks.com/t5/general-topics/routing-traffic-from-branch-through-hq-to-vendor/m-p/232754#M66772 <P>Just found this, which Im spot on. I do worry that my vendor side might be incorrect</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-To-Connect-2-Branch-Locations-to-Connect-through-HQ-Site/ta-p/62643&nbsp;" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-To-Connect-2-Branch-Locations-to-Connect-through-HQ-Site/ta-p/62643&nbsp;</A></P> Thu, 27 Sep 2018 16:50:30 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-traffic-from-branch-through-hq-to-vendor/m-p/232754#M66772 k.truex 2018-09-27T16:50:30Z https://live.paloaltonetworks.com/t5/general-topics/routing-traffic-from-branch-through-hq-to-vendor/m-p/234147#M67128 <P>So found I the problem, or "more of a design issue".</P><P>&nbsp;</P><P>The dynamic vpn setup on my branch side, is the issue to the vendor. I relized that when settting up a direct connection from branch to vendor. The vendor does not support Nat-T!!!! Doh!!!! Which is why I would see the out bound encaps but no decaps back on the HQ side.</P><P>&nbsp;</P><P>Back to the drawing board... Hopefully this stops someone form spinning their wheels</P> Fri, 05 Oct 2018 17:09:43 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-traffic-from-branch-through-hq-to-vendor/m-p/234147#M67128 k.truex 2018-10-05T17:09:43Z