Active tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Active tunnel

L4 Transporter

I have created site to site vpn tunnels from a palo alto 3020 to ASA 5505 firewalls. The show green and active through the CLI and the web console. But when I try to ping a server on the other side of the tunnel I get no reply, is the tunnel up? Is it really passing traffic?

28 REPLIES 28

I will check and see

It was proxy id's. I removed some and corrected some and now it pings Thanks

Gr8... Thanks alot for detailed information...

I take it back it went down again and the same time as always at 2:40 pm CST and it will come back up again tonight, So its still not working right

If proxy ids are diff., tunnel will not come up.

Proxy ID is one of the phase-2 parameter.

Its not that the tunnel won't come up but it goes down every day at the same time and then is back up and working in the morning no matter what the prosy id's are set.

It means re-key negotiation is not working fine. Tunnel is between different vendors, so sometimes re-key could be the issue.

Check the PFS settings, or make sure key negotiation time is exactly same on both the firewalls.

Where are the PFS settings?

In Phase-II if you select group2 or any group, that is considered as a PFS.

Make sure its disabled or enabled on both the devices.

Example from GUI:

PFS.PNG

Thanks

Okay why would I want to disable that?

Hello Infotech,

We said It should be Either Enabled or Disabled on both the end.

Lets say if you want to keep it Enable on PAN then make sure its enabled on peer as well.

Regards,

hardik Shah

I checked and they are set the same

  • 7466 Views
  • 28 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!