We are having a annoying issue :S We have configured a tunnel routed-based between PA (7.0.6) to Microsof azure. The tunnel is up but we are detecting several problems.
1) The transfer speeds are very low, fluctuate and are nothing stable: When we try to move a file using this tunel from Azure to one of our servers in PA, the transfer speed is so slow (200-300Kb/s). But if we use a RAD (windows machine which go up the tunnel) the transfer speed is 7Mb/s). Why the speed is slow if the PA bring up th tunnel?
2) The Azure server is not reaching internet through this tunnel. In addition, the server is still unable to navigate to the outside. We do not see in PA that traffic comes to us from Azure.
Coming from Azure, we only see in PA connections to internal networks, when all traffic from Azure (to internal or to EXTERNAL) should go in the tunnel.
If we want that this Azure server goes to internet using this tunnel its necessary to configure tunnel ikev2 and dynamic.These are requisites of Microsoft Azure. WE have configured all of this but we cant reach internet using tunel to PA.
We have tried to changed the MTU and several paramethers in VPN but its stilll hapening......any idea???'
thanks a lot
So that the server can browse to the outside our tunnel, the tunnel need to talk IKEv2 and that is dynamic, are the requirements of Azure.
Yes you are right. In order to initiate the tunnel in IKE-V2, we have to create the dynamic-gateway in AZURE side. On PAN FW we can change the IKE version based on requirement.
1) Regardig the throughput, if you take pcap on the PAN firewall, are you observing many re-trenasmission/fragmentation ...? That could lead towars the low throughput. Also, could you please choose low profile encription keys for the phase-2 negotiation i.e AES-128. This will reduce a small amount of encription/decryption overhead.
2) We need to take a look at the routing part. If you do a traceroute to a public IP i.e 184.108.40.206, where the packets are getting stuck...? ( Traceroute to an IP instead of domain-name will eleminate any issue with DNS )
I see these lines in drop p.cap capture
A lot of TCP Previous segment not captured
In firewall pcap i see a lot of TCP Dup ACK
receive pcarp shows this:
any news on the second Topic ? As have the same Problem. S2S Tunnel is established, forced tunneling is configured
on Azure side. A Server can reach local Subnets with no Problems but is not able to reach the Internet.
S2S Zone was taken into NAT, a Traceroute is stuck at the PA. Capturing Traffic fills the "Drop" Log.
Thanks for any Input !
Use the following settings for Phase 1/2 and test
use IKEv2 only.
Had similiar issues and Microsoft Support advised to use the following settings after that the traffic flow was good.
Thanks for sharing, unfortunately no change.
Capturing the Traffic (simple Ping to 220.127.116.11 from a Server in Azure), it passes the Firewall is NAT`ed, the Ping Reply hits the external IP of the Firewall and is then dropped.
Seems the Firewall does not know what to do with the Reply.
Any more hints ?
Can firewall ping the server? Can you try to capture 3-way handshake? Initiate any web request from the server to the web and check how Palo sees this session. Does it know how to get back to the server? If yes which interface it uses (tunnel or eth x/x?)
yes the FW can ping the Server (through the Management Interface, which is on the trusted Zone).
All S2S Traffic from on premise to Azure works well, just forced tunneling from azure to the Internet is stuck.
Same as with ping. Capturing the Packets shows the reply doesn´t get back to the Server, so no Handshake is established.
In Traffic Log, the request "ages-out". In Session Browser all looks fine. The "Traverse Tunnel" Flag is set "true".
Maybe I didn´t understood you correctly, what do you mean by "how Palo sees this session" ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!