I have two IPSec tunnels configured. Traffic is flowing between a local interface and each of these two tunnels, but I can't seem to get traffic flowing between the two tunnels.
I have two sites Site1 and Site2, each with a PA and one external interface. I have a IPSec tunnel between them via the external interface so clients at Site1 can reach clients at Site2 without issue. I also have a IPSec GlobalProtect Gateway configured on the PA at Site1 also via the external interface. GP clients can reach clients at Site1 without issue. I'm trying to get GP clients able reach clients at Site2.
I have static routes setup, and To/From policies that allows traffic between the GP and Site2 zones on both PAs. The traffic logs are showing "allow", but sessions are "aging-out". I've tried configuring adding the GP network to the site-to-site tunnel's ProxyIDs. I've also tried setting up a "No-NAT" from the GP zone to the Stie2 zone on the Site1 PA.
I'm thinking this must have something to do with NAT, but I'm not sure what the answer is. Help is much appreciated.
Solved! Go to Solution.
Seems to be a simple (and yet complex setup) so lets agree on a few things.
Let's put together some generic site IPs to make things easier.
GP address are 10.0.0.0
Site 1 is 172.16.0.0/12
Site 2 is 192.168.0.0/16
First, I believe the step/configuration that you are missing is going to the the routing table.
Your routing table (if properly configured) knows that (from Site 1 perspective) that to get to Site 2, to use the tunnel interface.
This gets traffic from Site 1 to Site 2.
But... GP traffic (from site 1) knows to use the routing table to get across the tunnel interface to get to site 2.
So.. what does Site 2 know about getting BACK to GP?
It's routing table does NOT know about GP (across the VPN).
It would only know about Site 1 subnet and that is NOT the GP subnet.
So... you have 2 choices.
SNAT the traffic from GP to be a Site1 subnet (so 10.x.x.x looks to be 172.16.0.0/12 traffic)
You can add a 2nd route on site 2 virtual router, telling it that to get to 10.0.0.0 AND to 172.16.0.0/12 to use the tunnel interface and send it back to site 1.
Because you are going PA fw to PA FW, you do not need any proxy ids.
They should be removed.
I do this all the time in my environments.
If you want to a remote desktop screen share with zoom or similar, let me know.
Should be 30 min or less of tshooting to resolve this issue.
Let me know if this helps.
Thank you, Steve! I was sure I had the route back to the GP network set on the Site2 PA, but lo-and-behold it wasn't there, and that solved it.
And yet somehow removing the Proxy IDs from the tunnel killed it again. Any ideas why those are necessary even though it's PA to PA?
Proxy IDs are used for Policy based (Cisco, CP, Juniper) to a route-based (PANW) firewalls.
Definitely NOT needed, after installing multiple PANW firewalls, and 9 years as PANW certified training instructor.
Now, it is conceivable that your tunnels should be cleared and established to flush out any miscellanous SPI/SPD info.
Let me know!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!