topic Re: unable to reach peer end public IP via vpn tunnel in General Topics

unable to reach peer end public IP via vpn tunnel

MohammedAsik — Fri, 07 Feb 2020 09:14:45 GMT

HI Team

I have created S2S VPN tunnel between palo alto and cyberoam firewall.

Tunnel is up but the traffic is not flow.

Under Cyberoam firewall there is one server with public IP 144.21.X.X.

From palo alto we need to reach the peer end public IP 144.21.X.X via the vpn tunnel.

but whenever I tried to reach the peer end public IP 144.21.X.X its going via the internet rule instead of vpn rule.

Our requirement is that traffic should go via the vpn tunnel to reach the IP 144.21.X.X

I have configured the PBF policy but its not work.. Please help on this

Regards

Mohammed Asik

Re: unable to reach peer end public IP via vpn tunnel

SutareMayur — Fri, 07 Feb 2020 09:43:32 GMT

Hey,

This is expected.

Your PEER IP communication will happen over internet only. The proxy IDs configured will only pass through tunnel.

- Mayur

Re: unable to reach peer end public IP via vpn tunnel

MohammedAsik — Fri, 07 Feb 2020 12:05:37 GMT

HI Mayur

I have configured proxy ID s also. but its not working

regards
Mohammed Asik

Re: unable to reach peer end public IP via vpn tunnel

SutareMayur — Fri, 07 Feb 2020 12:28:45 GMT

Hi @MohammedAsik Check if routes are pointed towards proper tunnel interface.

Verify traffic logs once if matching correct security policy and sending traffic to correct tunnel interface.

-Mayur

Re: unable to reach peer end public IP via vpn tunnel

MohammedAsik — Fri, 07 Feb 2020 13:25:05 GMT

Please find the below routing and security policy details

144.250.3.222/32 0.0.0.0 10 A S tunnel.10

{
from inside;
source 172.31.62.0/24;
source-region none;
to vpn;
destination 144.250.3.222;
destination-region none;
user any;
category any;
application/service 0:any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

Regards

Mohammed Asik

Re: unable to reach peer end public IP via vpn tunnel

SutareMayur — Fri, 07 Feb 2020 13:56:54 GMT

Hi @MohammedAsik What is 0.0.0.0 in the route? is it next hop?

What you found in traffic logs?? Is firewall passing it to same tunnel interface?

-Mayur

Re: unable to reach peer end public IP via vpn tunnel

MohammedAsik — Fri, 07 Feb 2020 14:25:41 GMT

Mayur

its a tunnel interface. thats why its showing next hop as 0.0.0.0.

In traffic logs its taking the internet rule and its not pass through tunnel interface. its passing through internet interface Ethernet 1/1.

Mohammed Asik

Re: unable to reach peer end public IP via vpn tunnel

SutareMayur — Fri, 07 Feb 2020 14:47:47 GMT

Can you please check once if tunnel interface belongs to VPN zone?

Mayur

Re: unable to reach peer end public IP via vpn tunnel

MohammedAsik — Fri, 07 Feb 2020 15:34:31 GMT

Please find the below ss tunnel.10 interface

Re: unable to reach peer end public IP via vpn tunnel

SutareMayur — Fri, 07 Feb 2020 23:16:34 GMT

Something is mis configured . Check any pbf which is sending traffic on external interface or traffic getting NAT?

please share traffic log snap?

Mayur

Re: unable to reach peer end public IP via vpn tunnel

svelez — Fri, 07 Feb 2020 21:54:23 GMT

Hi Mohammed,

Have you checked your NAT rules?

Since 144.21.X.X is a public IP, you might be hitting a NAT rule for the Internet depending on which zone your tunnel interface is located.

Also, I see that your Tunnel interface is part of the VPN zone. Is the source traffic is coming from the Inside zone? If so, do you have a security rule on your FW allowing communication between the Inside and VPN zone?

Re: unable to reach peer end public IP via vpn tunnel

MohammedAsik — Sat, 08 Feb 2020 06:09:16 GMT

Hi Svelez

Yes I have security rule to allow from inside to vpn zone. Please find the below security rule and static route for respective tunnel traffic

144.250.3.222/32 0.0.0.0 10 A S tunnel.10

Re: unable to reach peer end public IP via vpn tunnel

SutareMayur — Mon, 10 Feb 2020 08:03:06 GMT

@MohammedAsik hey, are you still facing issues?

- Mayur

Re: unable to reach peer end public IP via vpn tunnel

MohammedAsik — Tue, 11 Feb 2020 08:35:36 GMT

Hi Mayur

Yes, still I am facing this issue

Re: unable to reach peer end public IP via vpn tunnel

SutareMayur — Wed, 12 Feb 2020 02:59:25 GMT

@MohammedAsik,

We can check it once over zoom or webex if you want.

- Mayur

Re: unable to reach peer end public IP via vpn tunnel

MohammedAsik — Wed, 12 Feb 2020 08:26:02 GMT

Hi Mayur

Issue got resolved after added the IP on tunnel interface.and PBF policy.I followed the below KB article.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIeCAK

Thanks for your support.

regards

Mohammed Asik

Re: unable to reach peer end public IP via vpn tunnel

SutareMayur — Wed, 12 Feb 2020 09:11:30 GMT

That's great !

Mayur