IPSEC VPN Tunnel Problem

Reply
L2 Linker

IPSEC VPN Tunnel Problem

PAN PA2020 PAN OS 4.16

I have a point to point vpn setup from our company to another company that is hosting our financial application.

We have 10 different proxy IDs setup to limit subnet's that can access the vpn for example:

proxy.png

Almost everyday, all proxy ids can access the vpn tunnel with the exception of proxy id 2 or proxy id 3.

Any thoughts?

Thank you in advance...

Highlighted
L2 Linker

Re: IPSEC VPN Tunnel Problem

What is the device on the other side of the VPN?

Do you see any errors in the system log?  Monitor / Logs / System?

If the remote side is a CheckPoint, then it may be joining 192.168.2.0/24 and 192.168.3.0/24 into a larger subnet, 192.168.2.0/23.

--- UPDATE:

I tested this in my lab.  The PAN with report the proxy IDs using during phase 2, even when the negotiation fails.  This makes it much easier to determine if the other side has fat fingered a encryption domain / crypto-map ACL

Such a beautiful device.

L5 Sessionator

Re: IPSEC VPN Tunnel Problem

a> Check if the routes have been configured pointing to the tunnel interface.

b>Security rules allowing traffic between the inside and tunnel zone.

Also check if the peer device has a rule allowing this traffic.

Check traffic logs filtering the source and dest, include  the columns bytes sent and received to see if PA is dropping the traffic or if we are not getting responses.

-Ameya

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!