https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-ipsec-with-dynamic-side/m-p/262499#M74377 <P>Hello, everyone,</P><P>Currently I have the problem to build an IPSec tunnel between a PA200 (A) and a PA220 (B).<BR />My one side A has a Telekom hybrid Internet connection (its a german product with LTE and cable connection) to a Speedport router. Thus only one dynamic official IP.<BR />The other side B is a normal company connection with a fixed IP address. I have configured my tunnel so that only side A is allowed to start the tunnel. (B side enable passive mode)</P><P>If I now start the tunnel on page A, I also see in the monitoring at page B the requests ike on port 500 for port 500. Unfortunately then nothing happens further and page A has then a Faild Due to timeout.<BR />You can also see that page A transmits data but does not receive any data.<BR />What could that be? What is the best way to narrow down the problem?</P> Wed, 29 May 2019 09:24:25 GMT clonesheep 2019-05-29T09:24:25Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-ipsec-with-dynamic-side/m-p/262499#M74377 <P>Hello, everyone,</P><P>Currently I have the problem to build an IPSec tunnel between a PA200 (A) and a PA220 (B).<BR />My one side A has a Telekom hybrid Internet connection (its a german product with LTE and cable connection) to a Speedport router. Thus only one dynamic official IP.<BR />The other side B is a normal company connection with a fixed IP address. I have configured my tunnel so that only side A is allowed to start the tunnel. (B side enable passive mode)</P><P>If I now start the tunnel on page A, I also see in the monitoring at page B the requests ike on port 500 for port 500. Unfortunately then nothing happens further and page A has then a Faild Due to timeout.<BR />You can also see that page A transmits data but does not receive any data.<BR />What could that be? What is the best way to narrow down the problem?</P> Wed, 29 May 2019 09:24:25 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-ipsec-with-dynamic-side/m-p/262499#M74377 clonesheep 2019-05-29T09:24:25Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-ipsec-with-dynamic-side/m-p/262513#M74379 <P>Hi,</P><P>&nbsp;</P><P>Have you configured Proxy-IDs, as if the PA wants to establish an IPSec tunnel with Non-PA device, we need to configure it because of Route based approach.</P> Wed, 29 May 2019 11:13:16 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-ipsec-with-dynamic-side/m-p/262513#M74379 Saurabh0145 2019-05-29T11:13:16Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-ipsec-with-dynamic-side/m-p/264214#M74409 <P>Hello,</P><P>I have sites with multiple VPN's and I think I understand what you are trying to accomplish. You want all traffic to go down TunnelA as primary with TunnelB as secondary? If yes, setup the tunnels the same with settings on both. Both tunnels will be up at the same time, this is OK. Then control traffic with routing, either static routes with monitors and weights or OSPF with Metrics.</P><P>&nbsp;</P><P>Hope that helps.</P> Fri, 31 May 2019 14:19:23 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-ipsec-with-dynamic-side/m-p/264214#M74409 OtakarKlier 2019-05-31T14:19:23Z