https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/260209#M73754 <P>Bonjour,&nbsp;</P><P>&nbsp;</P><P>Avez-vous pu resoudre votre problème? Nous avons un probléme similaire et je serai très interessée de votre résolution.</P><P>&nbsp;</P><P>Bàv,</P><P>Eleni</P> Tue, 07 May 2019 22:04:13 GMT elenip 2019-05-07T22:04:13Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/251760#M71577 <P>Bonjour</P><P>j'ai monté un tunnel vpn entre un PA-850 et un PA-220. La gateway IKE et le tunnel sont au vert.</P><P>Je n'obtiens aucuns trafic en reception dans le tunnel sur le site A. Le site B quant a lui recoit mes requetes et y repond, mais comme je n'ai pas de reception je n'obtiens pas la reponse.</P><P>Du coup je me suis dis il&nbsp; y a une policy qui bloque ou une zone mal défini. J'ai fais le tour et je ne vois pas ou est le blocage.</P><P>Les 2 Palo sont en version 8.1.5.</P><P>&nbsp;</P><P><FONT size="5"><U><STRONG>Infos site A</STRONG></U></FONT></P><P>&nbsp;</P><P><EM>tunnel Tunnel</EM><BR /><EM>id: 13</EM><BR /><EM>type: IPSec</EM><BR /><EM>gateway id: 4</EM><BR /><EM>local ip: XXX.XXX.XXX.XXX</EM><BR /><EM>peer ip: YYY.YYY.YYY.YYY</EM><BR /><EM>inner interface: tunnel.4</EM><BR /><EM>outer interface: ethernet1/1.4</EM><BR /><EM>state: active</EM><BR /><EM>session: 23233</EM><BR /><EM>tunnel mtu: 1424</EM><BR /><EM>soft lifetime: 86349</EM><BR /><EM>hard lifetime: 86400</EM><BR /><EM>lifetime remain: 86399 sec</EM><BR /><EM>lifesize remain: N/A</EM><BR /><EM>latest rekey: 1 seconds ago</EM><BR /><EM>monitor: on</EM><BR /><EM>monitor status: down</EM><BR /><EM>monitor dest: 192.168.11.2</EM><BR /><EM>monitor interval: 3 seconds</EM><BR /><EM>monitor threshold: 5 probe losses</EM><BR /><EM>monitor bitmap: 00000</EM><BR /><EM>monitor packets sent: 485</EM><BR /><EM>monitor packets recv: 0</EM><BR /><EM>monitor packets seen: 0</EM><BR /><EM>monitor packets reply:0</EM><BR /><EM>en/decap context: 2172</EM><BR /><EM>local spi: 81E36347</EM><BR /><EM>remote spi: 884AF897</EM><BR /><EM>key type: auto key</EM><BR /><EM>protocol: ESP</EM><BR /><EM>auth algorithm: SHA256</EM><BR /><EM>enc algorithm: AES256</EM><BR /><EM>traffic selector:</EM><BR /><EM>protocol: 0</EM><BR /><EM>local ip range: 0.0.0.0 - 255.255.255.255</EM><BR /><EM>local port range: 0 - 65535</EM><BR /><EM>remote ip range: 0.0.0.0 - 255.255.255.255</EM><BR /><EM>remote port range: 0 - 65535</EM><BR /><EM>anti replay check: yes</EM><BR /><EM>copy tos: no</EM><BR /><EM>authentication errors: 0</EM><BR /><EM>decryption errors: 0</EM><BR /><EM>inner packet warnings: 0</EM><BR /><EM>replay packets: 0</EM><BR /><EM>packets received</EM><BR /><EM>when lifetime expired:0</EM><BR /><EM>when lifesize expired:0</EM><BR /><EM>sending sequence: 0</EM><BR /><EM>receive sequence: 0</EM><BR /><EM>encap packets: 809</EM><BR /><EM>decap packets: 0</EM><BR /><EM>encap bytes: 102808</EM><BR /><EM>decap bytes: 0</EM><BR /><EM>key acquire requests: 442</EM><BR /><EM>owner state: 0</EM><BR /><EM>owner cpuid: s1dp0</EM><BR /><EM>ownership: 1</EM></P><P>&nbsp;</P><P><EM>----------------------------------------------------------------------------------------------------------------</EM></P><P>&nbsp;</P><P><EM>Interface: tunnel.4</EM><BR /><EM>--------------------------------------------------------------------------------</EM></P><P><EM>Logical interface counters read from CPU:</EM><BR /><EM>--------------------------------------------------------------------------------</EM><BR /><EM>bytes received 0</EM><BR /><EM>bytes transmitted 2804416</EM><BR /><EM>packets received 0</EM><BR /><EM>packets transmitted 16238</EM><BR /><EM>receive errors 0</EM><BR /><EM>packets dropped 0</EM><BR /><EM>packets dropped by flow state check 0</EM><BR /><EM>forwarding errors 0</EM><BR /><EM>no route 0</EM><BR /><EM>arp not found 0</EM><BR /><EM>neighbor not found 0</EM><BR /><EM>neighbor info pending 0</EM><BR /><EM>mac not found 0</EM><BR /><EM>packets routed to different zone 0</EM><BR /><EM>land attacks 0</EM><BR /><EM>ping-of-death attacks 0</EM><BR /><EM>teardrop attacks 0</EM><BR /><EM>ip spoof attacks 0</EM><BR /><EM>mac spoof attacks 0</EM><BR /><EM>ICMP fragment 0</EM><BR /><EM>layer2 encapsulated packets 0</EM><BR /><EM>layer2 decapsulated packets 0</EM><BR /><EM>tcp cps 0</EM><BR /><EM>udp cps 0</EM><BR /><EM>sctp cps 0</EM><BR /><EM>other cps 0</EM><BR /><EM>--------------------------------------------------------------------------------</EM></P><P>&nbsp;</P><P><EM>test routing fib-lookup virtual-router default ip 192.168.11.2</EM></P><P><EM>--------------------------------------------------------------------------------</EM><BR /><EM>runtime route lookup</EM><BR /><EM>--------------------------------------------------------------------------------</EM><BR /><EM>virtual-router: default</EM><BR /><EM>destination: 192.168.11.2</EM><BR /><EM>result:</EM><BR /><EM>via 10.1.1.1 interface tunnel.4, source 10.1.1.2, metric 10</EM></P><P><EM>----------------------------------------------------------------</EM></P><P>&nbsp;</P><P>&nbsp;</P><P><FONT size="5"><U><STRONG>Infos Site B</STRONG></U></FONT></P><P>&nbsp;</P><P><EM>admin@PA220-ENSAN&gt; test routing fib-lookup virtual-router default ip 10.100.100.101</EM></P><P><EM>--------------------------------------------------------------------------------</EM><BR /><EM>runtime route lookup</EM><BR /><EM>--------------------------------------------------------------------------------</EM><BR /><EM>virtual-router: default</EM><BR /><EM>destination: 10.100.100.101</EM><BR /><EM>result:</EM><BR /><EM>via 10.1.1.2 interface tunnel.1, source 10.1.1.1, metric 10</EM><BR /><EM>--------------------------------------------------------------------------------</EM></P><P><EM>admin@PA220-ENSAN&gt; show vpn flow tunnel-id 1</EM></P><P><EM>tunnel Tunnel-IPSEC</EM><BR /><EM>id: 1</EM><BR /><EM>type: IPSec</EM><BR /><EM>gateway id: 1</EM><BR /><EM>local ip: YYY.YYY.YYY.YYY</EM><BR /><EM>peer ip: XXX.XXX.XXX.XXX</EM><BR /><EM>inner interface: tunnel.1</EM><BR /><EM>outer interface: ethernet1/1</EM><BR /><EM>state: active</EM><BR /><EM>session: 13687</EM><BR /><EM>tunnel mtu: 1424</EM><BR /><EM>soft lifetime: 5183974</EM><BR /><EM>hard lifetime: 5184000</EM><BR /><EM>lifetime remain: 5183999 sec</EM><BR /><EM>lifesize remain: N/A</EM><BR /><EM>latest rekey: 1 seconds ago</EM><BR /><EM>monitor: on</EM><BR /><EM>monitor status: down</EM><BR /><EM>monitor dest: 10.100.100.101</EM><BR /><EM>monitor interval: 3 seconds</EM><BR /><EM>monitor threshold: 5 probe losses</EM><BR /><EM>monitor bitmap: 00000</EM><BR /><EM>monitor packets sent: 433</EM><BR /><EM>monitor packets recv: 0</EM><BR /><EM>monitor packets seen: 433</EM><BR /><EM>monitor packets reply:0</EM><BR /><EM>en/decap context: 1229</EM><BR /><EM>local spi: FBFE25E2</EM><BR /><EM>remote spi: 9569F5C5</EM><BR /><EM>key type: auto key</EM><BR /><EM>protocol: ESP</EM><BR /><EM>auth algorithm: SHA256</EM><BR /><EM>enc algorithm: AES256</EM><BR /><EM>traffic selector:</EM><BR /><EM>protocol: 0</EM><BR /><EM>local ip range: 0.0.0.0 - 255.255.255.255</EM><BR /><EM>local port range: 0 - 65535</EM><BR /><EM>remote ip range: 0.0.0.0 - 255.255.255.255</EM><BR /><EM>remote port range: 0 - 65535</EM><BR /><EM>anti replay check: no</EM><BR /><EM>copy tos: no</EM><BR /><EM>authentication errors: 0</EM><BR /><EM>decryption errors: 0</EM><BR /><EM>inner packet warnings: 0</EM><BR /><EM>replay packets: 0</EM><BR /><EM>packets received</EM><BR /><EM>when lifetime expired:0</EM><BR /><EM>when lifesize expired:0</EM><BR /><EM>sending sequence: 0</EM><BR /><EM>receive sequence: 0</EM><BR /><EM>encap packets: 1474</EM><BR /><EM>decap packets: 699</EM><BR /><EM>encap bytes: 160736</EM><BR /><EM>decap bytes: 84424</EM><BR /><EM>key acquire requests: 416</EM><BR /><EM>owner state: 0</EM><BR /><EM>owner cpuid: s1dp0</EM><BR /><EM>ownership: 1</EM></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Je vous avoue que je ne sais plus trop ou chercher, alors si vous avez une idée....</P><P>&nbsp;</P><P>merci</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Feb 2019 15:26:41 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/251760#M71577 ENSANANTES 2019-02-28T15:26:41Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/251834#M71607 <P>Hello,</P><P>Make sure you have routes setup between the sites so the PAN knows where to route the traffic. Or you can setup dynamic routing so they know.</P><P>&nbsp;</P><P>I setup my VPN tunnels with a /30 so each end gets an IP. Then I setup static routes for each IP on the respective PAN so traffic knows there to go. Then test with a ping.</P><P>&nbsp;</P><P>Example:</P><P>Site A&nbsp; subet is 192.168.2.0/24 so Site A pan needs a static route to 192.168.99.0/24 destination tunnel interface</P><P>&nbsp;</P><P>Site B subnet is 192.168.99.0/24 so SiteB pan needs a static route to 192.168.2.0/24 desitnation tunnel interface</P><P>&nbsp;</P><P>Regards,</P> Thu, 28 Feb 2019 21:45:33 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/251834#M71607 OtakarKlier 2019-02-28T21:45:33Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/251928#M71630 <P>Merci pour cette reponse</P><P>Nous avons contrôlé les routes , le NAT, les interfaces et les policies. Notre intégrateur a validé notre configuration. Le vpn ne fonctionne qu'en 1 Way. Le site B recoit et repond, mais le site A n'obtient rien en entrée. Le Compteur decap packets/bytes reste a 0. Nous allons escalder la demande au support Palo Alto.</P><P>merci</P> Mon, 04 Mar 2019 15:24:18 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/251928#M71630 ENSANANTES 2019-03-04T15:24:18Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/260209#M73754 <P>Bonjour,&nbsp;</P><P>&nbsp;</P><P>Avez-vous pu resoudre votre problème? Nous avons un probléme similaire et je serai très interessée de votre résolution.</P><P>&nbsp;</P><P>Bàv,</P><P>Eleni</P> Tue, 07 May 2019 22:04:13 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/260209#M73754 elenip 2019-05-07T22:04:13Z https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/261943#M74233 <P>La réponse est bete et mechante. Les 2 adresses des Peers doivent appartenir a la meme zone.</P><P>Nous avons une topologogie particuliere avec plusieurs liens publiques sans trop rentrer dans les détails et nous avons créé des zones personnalisées pour qu'elles soient plus parlantes que du trust/untrust cela a dû ajouté a la confusion , de plus jusque la je travaillais sur checkpoint ou la notion de zone n'existe pas. Toute la conf vpn etait bonne mais les 2 peer n'etaient pas ds la meme zone , une fois cela corriger le tunnel s'est monté</P> Wed, 22 May 2019 15:45:06 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-site-a-site-palo-alto-pas-de-traffic-retour/m-p/261943#M74233 ENSANANTES 2019-05-22T15:45:06Z