This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VPN with fqdn denying ike 500

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN with fqdn denying ike 500

cskodras
Not applicable

‎12-22-2011 07:44 AM

Hello,

I'm trying to setup a ipsec vpn with a fortigate which has dynamic ip as gateway.

I have a security policy which allows all packets from the dynamic ip (fqdn) but if i type the command 'show log traffic src in x.x.x.x' i can see that i have an incoming request which Palo Alto denies.

The weird thing is that this allow rule contains all other vpn gateways which are with static ip addresses and the only difference is that this one is defined with fqdn.

Any help would be greatly appreciated.

Thank you,

Chris

0 Likes Likes
5 REPLIES 5

mharding
L4 Transporter

‎12-22-2011 09:46 AM

Dynamic like constantly changing or dynamic like a DHCP lease?

I think the FQDN job runs every 30 minutes or after a commit.

So it's not constantly asking for the IP of the FQDN.

0 Likes Likes

cskodras
Not applicable
In response to mharding

‎12-23-2011 12:04 AM

Thank you for your reply.

It's just a dsl connection with dynamic ip and ttl value 86400.

I could see from console that the fqdn was correctly resolving to the new ip addresss.

Another weird behavior: I forced the active unit to suspend mode and when the passive unit returned to active, the vpn worked! Then I switched again the units and it was working. The two configurations were synchronized correctly and there was no configuration change at all...

This morning all ipsec vpns are working except this one with the dynamic ip.

0 Likes Likes

bpappas
L6 Presenter
In response to cskodras

‎12-29-2011 04:45 PM

Assuming that the fortigate is initiating the VPN you should get very useful debugging messages in the Palo Alto Device's system logs regarding the reason for the VPN initiation failure.

Have you tried that route for debugging the issue?

-Benjamin

0 Likes Likes

cskodras
Not applicable
In response to bpappas

‎12-30-2011 01:45 AM

Yes fortigate initiates the vpn connection but the weird thing is that i don't see any logs under Monitor -> System. I can see only under Monitor -> traffic where the firewall denies the specific packet (ike 500).

When switching the ha pair from active to passive, I can see normal logs and the vpn is working until the public ip address changes in the fortigate...

I think it has to do with the fortigate and the way it initiates the vpn connection..??

Thank you,

Chris

0 Likes Likes

skrall
L4 Transporter
In response to cskodras

‎12-30-2011 10:27 AM

If this continues to be a problem you should open a ticket with support.

SK

0 Likes Likes
  • 2746 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks