https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-cannot-ping-across-the-tunnel-both-ph1-and-ph2-tunnels/m-p/355958#M87597 <P>Hi BPry - Yes I have static routing configured as well as management profile assigned on our side. I am not sure what Vendor side is configured with but they are saying it looks all good on their side.</P> Tue, 13 Oct 2020 01:32:05 GMT Rutvij 2020-10-13T01:32:05Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-cannot-ping-across-the-tunnel-both-ph1-and-ph2-tunnels/m-p/355922#M87589 <P>Hi All,</P><P>&nbsp;</P><P>I have set up an IPSec VPN tunnel which seem to be up, however, i cannot ping from my local LAN IP on tunnel interface to the other side LAN interface of the tunnel. NOTE - Other end of the tunnel is terminated on ISP network where we are using their MPLS network to connect our global sites.</P><P>&nbsp;</P><P>My side palo alto firewall has tunnel.11 interface with 10.10.8.17/30 ip address and the other end at ISP has been configured with 10.10.8.18/30</P><P>&nbsp;</P><P>rutvijb@pa-fw(active)&gt; ping source 10.10.8.17 count 5 host 10.10.8.18<BR />PING 10.10.8.18 (10.10.8.18) from 10.10.8.17 : 56(84) bytes of data.</P><P>--- 10.10.8.18 ping statistics ---<BR />5 packets transmitted, 0 received, 100% packet loss, time 4010ms</P> Mon, 12 Oct 2020 23:10:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-cannot-ping-across-the-tunnel-both-ph1-and-ph2-tunnels/m-p/355922#M87589 Rutvij 2020-10-12T23:10:53Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-cannot-ping-across-the-tunnel-both-ph1-and-ph2-tunnels/m-p/355952#M87592 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/149722">@Rutvij</a>,</P> <P>Do you have a route configured for the traffic? Do you have an interface management profile assigned to the interface on each device that actually allows ICMP/Ping?&nbsp;</P> Tue, 13 Oct 2020 00:26:24 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-cannot-ping-across-the-tunnel-both-ph1-and-ph2-tunnels/m-p/355952#M87592 BPry 2020-10-13T00:26:24Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-cannot-ping-across-the-tunnel-both-ph1-and-ph2-tunnels/m-p/355958#M87597 <P>Hi BPry - Yes I have static routing configured as well as management profile assigned on our side. I am not sure what Vendor side is configured with but they are saying it looks all good on their side.</P> Tue, 13 Oct 2020 01:32:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-cannot-ping-across-the-tunnel-both-ph1-and-ph2-tunnels/m-p/355958#M87597 Rutvij 2020-10-13T01:32:05Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-cannot-ping-across-the-tunnel-both-ph1-and-ph2-tunnels/m-p/355959#M87598 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/149722">@Rutvij</a>,</P> <P>So I hate to blame it on the other side, but this configuration is relatively straight forward. Configure the IP address on the tunnel interface, configure the routing, verify that the security rulebase is properly permitting the traffic, and lastly verify that the tunnel interface accepts ping from the IP address that you are testing from.</P> <P>I would just verify with the folks running the other device that they've actually verified the security rulebase on their end is allowing the traffic, that the interface-management-profile actually allows ping, and that they haven't configured permitted IPs on that interface-management-profile.&nbsp;</P> <P>As long as that all looks good on both sides, this really should "just work" from a configuration standpoint.&nbsp;</P> Tue, 13 Oct 2020 02:07:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-cannot-ping-across-the-tunnel-both-ph1-and-ph2-tunnels/m-p/355959#M87598 BPry 2020-10-13T02:07:02Z