topic Re: Site-to-Site VPN private subnets cannot ping eachother through the tunnel in General Topics

Site-to-Site VPN private subnets cannot ping eachother through the tunnel

Palobeacon — Thu, 03 Jun 2021 12:47:23 GMT

I am new to learning Palo Alto Firewalls. I have a couple of PA-8.0.0 virtual machine instances setup on my desktop with internet access through my home network on a Windows 10 host machine, for learning purposes. I configured site-to-site vpn and can get the tunnel up, both phase1 and phase2. The firewalls can ping eachother’s external IP addresses but their respective internal private hosts cannot ping eachother through the tunnel. The configuration seems fine and nothing in the system logs indicate any drops or disconnection. Am I missing a security policy or what else needs doing? I have security policies configured on each firewall to allow traffic out to the external untrust zone. Any assistance will be appreciated.

Re: Site-to-Site VPN private subnets cannot ping eachother through the tunnel

BPry — Thu, 03 Jun 2021 15:41:57 GMT

@Palobeacon,

Did you setup static routes so that the firewall knows how to route the traffic through the IPSec tunnel? Do you have a security rulebase entry allowing traffic to actually process across the IPSec tunnel zone that you added?

If you haven't already, override your interzone-default security entry to log denied traffic so you can see if it's a security entry that is missing or not.

Re: Site-to-Site VPN private subnets cannot ping eachother through the tunnel

OtakarKlier — Thu, 03 Jun 2021 16:51:55 GMT

Hello,

Also make sure your policies are set log log at session end. Make sure there are policies to allow the traffic to traverse the zones if you configured them.

Regards,

Re: Site-to-Site VPN private subnets cannot ping eachother through the tunnel

Palobeacon — Thu, 03 Jun 2021 18:54:59 GMT

Thanks for your assistance. There's been some progress. I do have static routes setup for both firewalls. I also have security rules setup. I checked the settings based on your suggestions and adjusted the rule for outbound traffic from site 2. I also configured proxy-id for both firewalls just in case (it does say it is not needed if they are both PA firewalls).

So now site 2 internal hosts can ping through the tunnel to site 1 internal hosts but for some reason, site 1 hosts cannot ping to site 2 host. The configurations are the same.

Re: Site-to-Site VPN private subnets cannot ping eachother through the tunnel

Palobeacon — Thu, 03 Jun 2021 19:06:59 GMT

I think site 2 firewall may be missing a security policy. The internal hosts are able to ping site 1 internal hosts. However, I have now noticed that site 2 internal hosts cannot reach the webserver in the DMZ zone of site 1 even though it is accessible by hosts from other locations. I do have a security policy on the site 1 firewall that allows access to the server from the outside.

Thanks for your assistance.

Re: Site-to-Site VPN private subnets cannot ping eachother through the tunnel

Palobeacon — Sun, 06 Jun 2021 23:18:42 GMT

Thanks all, for your assistance. I adjusted the security policy to allow traffic to pass through the tunnel. Both sites can communicate through the tunnel now. Everything is working fine.

Thank you all