site to site vpn issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

site to site vpn issue

L4 Transporter

Hi Friends,

I have PAN-2020 with OS- 6.0.4, one side PAN and other end have juniper tunnel are showing Up but traffic is not passing Not Passing.

Regards

Satish

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Friends

After reviewing the configuration bye Tech Team gentleman (Rafal). he suggested to get rid of the firewall SNATing and DNATing traffic originated or targeted to firewall and put the public IP directly on the loopback interface. This greatly simplifies the configuration and I can be causing IPSEC issues. After we've committed the change both proxy ids came up properly and traffic was passing on both of them. Thanks Refal  Smiley Happy  Smiley Happy

Regards

Satish

View solution in original post

9 REPLIES 9

L5 Sessionator

Hi Satish ,

Please check routing on both side. On Palo Alto side routing should say if you want reach remote subnet, exit out using tunnel interface.

tunnel_route.JPG

This should be taken care on remote side as well. Hope this helps. Thank you.

L7 Applicator

Hello Satish,

You may check the IPSec phase-1 and phase-2 status if they are showing UP from CLI as well. You may clear the VPN tunnel once and try to re-negotiate the tunnel again.

>show vpn ipsec-sa tunnel <tunnel name>

> show vpn ike-sa gateway

> clear vpn ike-sa gateway XXXXX >>>>>>>>>>>>>>>>>>>>>>>> clear the ike SA's

Delete IKEv1 IKE SA: Total 1 gateways found.

> clear vpn ipsec-sa tunnel XXXXXX

Delete IKEv1 IPSec SA: Total 1 tunnels found.

> test vpn ike-sa gateway XXXXXX

Initiate IKE SA: Total 1 gateways found. 1 ike sa found.

> test vpn ipsec-sa tunnel XXXXXX

Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

> show vpn flow  ( get the tunnel ID from this command)

>show vpn flow tunnel-id x  << where x=id number from above display >>>>>>>>>>>>>>>> This command will show you, whether packets are encap and sending through the tunnel with respective counter.

NOTE:

--- make sure you have static route configure on both firewall to route interesting traffic through VPN tunnel ( as mentioned above by ssharma).

--- You have correct security policy in place , from VPN zone to outgoing zone.

Hope this helps.

Thanks

L7 Applicator

Hi Hulk, every thing is look like correct but i am able to find out  issue. Regards Satish

Hi Satish,

Run a continuous ping from behind the firewall. Check the session on the firewall :

show session all filter source <local ip> destination <peer ip>

You should see ping session, check if the interface are correct. Meaning it should ingress from your ethernet interface and must egress out tunnel interface. If that is correct, then run following :

> show vpn flow tunnel-id <tunnel-id> | match bytes

Run following commands multiple times, and check if the encap and decap packets/bytes are incrementing. Hope this helps. Thank you.

Hi Dud.., Let me check and get back to you. Regards Satish

Hi Satish ,

Can you check Nat Traversal under Network - > IKE Gateway -> Nat Traversal, commit the changes and see if that makes any difference. Thank you.

Hey Satish,

TO add to Samir's comment, if the encaps are incrementing but the decaps remain at 0 in the > show vpn flow tunnel-id <tunnel-id> command, then it might be an issue with the zones associated with actual tunnel traffic.

To understand this better, if the interface configured for IKE Gateway is Ethernet1/1 in the UNTRUST zone but the ESP packets actually travel in and out the firewall through Ethernet1/10 in the WAN zone, then that configuration would not work.

Both interfaces would need to be in the same zone for the tunnel to successfully forward traffic.

See VPN Tunnel Traffic Encapsulation Incrementing but no Decaps for more details on this issue.

Regards,

tasonibare

L4 Transporter

Hi Friends

After reviewing the configuration bye Tech Team gentleman (Rafal). he suggested to get rid of the firewall SNATing and DNATing traffic originated or targeted to firewall and put the public IP directly on the loopback interface. This greatly simplifies the configuration and I can be causing IPSEC issues. After we've committed the change both proxy ids came up properly and traffic was passing on both of them. Thanks Refal  Smiley Happy  Smiley Happy

Regards

Satish

  • 1 accepted solution
  • 5292 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!