Active tunnel

infotech · ‎06-30-2014

I have created site to site vpn tunnels from a palo alto 3020 to ASA 5505 firewalls. The show green and active through the CLI and the web console. But when I try to ping a server on the other side of the tunnel I get no reply, is the tunnel up? Is it really passing traffic?

infotech · ‎07-01-2014

I will check and see

infotech · ‎07-01-2014

It was proxy id's. I removed some and corrected some and now it pings Thanks

hshah · ‎07-01-2014

Gr8... Thanks alot for detailed information...

infotech · ‎07-01-2014

I take it back it went down again and the same time as always at 2:40 pm CST and it will come back up again tonight, So its still not working right

hshah · ‎07-01-2014

If proxy ids are diff., tunnel will not come up.

Proxy ID is one of the phase-2 parameter.

infotech · ‎07-02-2014

Its not that the tunnel won't come up but it goes down every day at the same time and then is back up and working in the morning no matter what the prosy id's are set.

hshah · ‎07-02-2014

It means re-key negotiation is not working fine. Tunnel is between different vendors, so sometimes re-key could be the issue.

hshah · ‎07-02-2014

Check the PFS settings, or make sure key negotiation time is exactly same on both the firewalls.

infotech · ‎07-02-2014

Where are the PFS settings?

hshah · ‎07-02-2014

In Phase-II if you select group2 or any group, that is considered as a PFS.

Make sure its disabled or enabled on both the devices.

HULK · ‎07-02-2014

Example from GUI:

Thanks

infotech · ‎07-02-2014

Okay why would I want to disable that?

hshah · ‎07-02-2014

Hello Infotech,

We said It should be Either Enabled or Disabled on both the end.

Lets say if you want to keep it Enable on PAN then make sure its enabled on peer as well.

Regards,

hardik Shah

infotech · ‎07-02-2014

I checked and they are set the same

Unlock your full community experience!

Active tunnel

Active tunnel

Show your appreciation!