Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-04-2013 06:46 AM
Hi
I have configured an fixed IP sec VPN tunell on my PA 500. The tunell comes up OK, and I can ping an traceroute an IP adress on the network I am connectod too, through the vpn tunell. But Packet loss lies between 20 and 40 % running ping tests.
We experience the same thing on both sides of the tunell.
what can be wrong here, to me it seems like the vpn config is OK, but that it may be a routing or policy issue, but since 60-80% of the packets are actually coming through, then I dont think it is routing or policy either.
can it be an issue with ARP tables, if so will a reeboot of the firewall help, or should I reboot our ADSL modem\internet connection ?
I am not familiar with the use of "tunel monitor" - but could it be a solution there ?
knut
09-04-2013 08:23 AM
Hello,
The following document explains tunnel monitoring and DPD feature on the Palo Alto:
Dead Peer Detection and Tunnel Monitoring
As far as improving IPsec performance, you can try adjusting TCP MSS value on the interface associated with that IPsec tunnel. Please refer the following document for the same:
How to Improve Performance for IPSEC Traffic in PANOS 4.0 and above.
Hope that helps!
Regards,
Kunal Adak
09-09-2013 05:52 AM
Thx Kunal,
it did not solve this case, it was only a matter of old\filled up ARP tables, because a reboot of ISP router and PA 500 made it work, but it is intresting pdfs because I configure these kind of tunells often
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
