https://live.paloaltonetworks.com/t5/general-topics/ipsec-proxy-tunnel-issue-with-multiple-tunnels/m-p/246217#M70133 <P>HI Team,</P><P>&nbsp;</P><P>I have configure Ipsec between PA and Cisco ASA, IPSEC is up but not traffic is passing.&nbsp;</P><P>&nbsp;</P><P>During the troubleshooting I have found for the proxy ID's configure in palo alto for some of the proxy id's only encapulation packet paloalto is sending and there is no decapusulation packet increasing for the proxy tunnel.</P><P>&nbsp;</P><P>But in the same Ipsec tunnel other proxy ID's are working fine. My firewall is running 8.0.13 which is recommened by Palo alto.</P><P>&nbsp;</P><P>Replay protection is already disabled, Phase 1 is having 24 hours and Phase 2 has 1 hour life time.</P><P>&nbsp;</P><P>I'm not seeing issue in negotiation, The proxy tunnel which is having issue is in the init state in PA side when analysing through command show vpn ikesa gateway&nbsp; gatewayname.</P><P>&nbsp;</P><P>Please suggest what can be done further to check this issue.</P><P>&nbsp;</P><P>Regards</P><P>Venky</P> Wed, 16 Jan 2019 05:59:26 GMT Venkatesan_radhakrishnan 2019-01-16T05:59:26Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-proxy-tunnel-issue-with-multiple-tunnels/m-p/246217#M70133 <P>HI Team,</P><P>&nbsp;</P><P>I have configure Ipsec between PA and Cisco ASA, IPSEC is up but not traffic is passing.&nbsp;</P><P>&nbsp;</P><P>During the troubleshooting I have found for the proxy ID's configure in palo alto for some of the proxy id's only encapulation packet paloalto is sending and there is no decapusulation packet increasing for the proxy tunnel.</P><P>&nbsp;</P><P>But in the same Ipsec tunnel other proxy ID's are working fine. My firewall is running 8.0.13 which is recommened by Palo alto.</P><P>&nbsp;</P><P>Replay protection is already disabled, Phase 1 is having 24 hours and Phase 2 has 1 hour life time.</P><P>&nbsp;</P><P>I'm not seeing issue in negotiation, The proxy tunnel which is having issue is in the init state in PA side when analysing through command show vpn ikesa gateway&nbsp; gatewayname.</P><P>&nbsp;</P><P>Please suggest what can be done further to check this issue.</P><P>&nbsp;</P><P>Regards</P><P>Venky</P> Wed, 16 Jan 2019 05:59:26 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-proxy-tunnel-issue-with-multiple-tunnels/m-p/246217#M70133 Venkatesan_radhakrishnan 2019-01-16T05:59:26Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-proxy-tunnel-issue-with-multiple-tunnels/m-p/246920#M70292 <P>HI Guys,</P><P>&nbsp;</P><P>Do anyone able to get my issue</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 22 Jan 2019 07:19:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-proxy-tunnel-issue-with-multiple-tunnels/m-p/246920#M70292 Venkatesan_radhakrishnan 2019-01-22T07:19:09Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-proxy-tunnel-issue-with-multiple-tunnels/m-p/246934#M70293 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97701">@Venkatesan_radhakrishnan</a>,</P><P>&nbsp;</P><P>If you can see statistics for encrypted packets, this means that the IPsec SA for the problematic proxy ids are successfully negotiated and Palo Alto firewall is actually sending traffic through the tunnel.</P><P>&nbsp;</P><P>So I would say that your problem is most probably on the other and of the tunnel - on the ASA. IPsec SA are up, which means the VPN settings are correct, BUT: Can you confirm that the traffic from the tunnel is allowed on the ASA? Can you confirm the rest of the path has a correct route back to the ASA? Is there any NAT applied on the tunnel traffic on the ASA?</P><P>&nbsp;</P><P>Having the fact that you have some proxy ids up and running eliminates any issues with phase1 setting and peer reachability<BR />Having the fact that the problematic proxy ids are also up, but you see only uni-directional traffic eliminates any issues with phase2 encryption domains/selectors.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 22 Jan 2019 09:32:24 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-proxy-tunnel-issue-with-multiple-tunnels/m-p/246934#M70293 aleksandar.astardzhiev 2019-01-22T09:32:24Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-proxy-tunnel-issue-with-multiple-tunnels/m-p/246935#M70294 <P>HI Alex,</P><P>&nbsp;</P><P>Thanks for your reply, I will look on the ASA side.&nbsp;</P><P>&nbsp;</P><P><SPAN>I can understand this point Can you confirm the rest of the path has a correct route back to the ASA</SPAN></P><P>&nbsp;</P><P><SPAN>I will check the remaning asap.</SPAN></P><P>&nbsp;</P> Tue, 22 Jan 2019 09:39:29 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-proxy-tunnel-issue-with-multiple-tunnels/m-p/246935#M70294 Venkatesan_radhakrishnan 2019-01-22T09:39:29Z