IPSEC VPN Tunnel Problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPSEC VPN Tunnel Problem

L2 Linker

PAN PA2020 PAN OS 4.16

I have a point to point vpn setup from our company to another company that is hosting our financial application.

We have 10 different proxy IDs setup to limit subnet's that can access the vpn for example:

proxy.png

Almost everyday, all proxy ids can access the vpn tunnel with the exception of proxy id 2 or proxy id 3.

Any thoughts?

Thank you in advance...

2 REPLIES 2

L2 Linker

What is the device on the other side of the VPN?

Do you see any errors in the system log?  Monitor / Logs / System?

If the remote side is a CheckPoint, then it may be joining 192.168.2.0/24 and 192.168.3.0/24 into a larger subnet, 192.168.2.0/23.

--- UPDATE:

I tested this in my lab.  The PAN with report the proxy IDs using during phase 2, even when the negotiation fails.  This makes it much easier to determine if the other side has fat fingered a encryption domain / crypto-map ACL

Such a beautiful device.

L5 Sessionator

a> Check if the routes have been configured pointing to the tunnel interface.

b>Security rules allowing traffic between the inside and tunnel zone.

Also check if the peer device has a rule allowing this traffic.

Check traffic logs filtering the source and dest, include  the columns bytes sent and received to see if PA is dropping the traffic or if we are not getting responses.

-Ameya

  • 2877 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!