Client VPN traffic and routing over IPsec Tunnel

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Client VPN traffic and routing over IPsec Tunnel

L3 Networker

Hi there,

Here is our scenario that I am trying to figure out.

We have two sites (main office and a rack in a data center) that are connected via PAN-2020's on both sides through a IPsec Tunnel. I am trying to route Client VPN traffic that connects at our main office to go over the site-to-site tunnel to access some web servers there. It seems the traffic goes over the tunnel, but all is marked as incomplete. Below is my it a route metric issue or a routing issue in the Client VPN traffic config? Our VPN clients are obtaining DNS from internal domain controllers. Our web server are defined with internal zones on those domain controllers, that is why I am having this issue. Any help would be appreciated.  Can provide additional details as needed.

Main Office:


Trust Zone - (192.168.x.x/16)

SSL-VPN Zone - (172.x.x.x/24) - no split brained routing (

Site-to-Site Tunnel


Default Route: - metric 10

Trust Zone - metric 5

SSL-VPN Zone - next hop - metric 8

All traffic over tunnel to remote zones - metric 5

Security Policies:

Trust Zone & SSL-VPN zone to Tunnel - allow all traffic

Data Center Rack:


Trust Zone - (10.20.x.x/16)

Untrust Zone - (10.30.x.x/16) - were web servers are

Site-to-Site Tunnel


Default Route: - metric 10

Trust Zone - metric 1

Untrust Zone - metric 1

All traffic over tunnel to remote zones - metric 1

Security Policies:

Trust Zone & Untrust Zone to Tunnel - allow all traffic


L7 Applicator

Hello cmateam,

Incomplete means that either the three way tcp handshake did NOT complete or the three way tcp handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the Palo alto device creates a session for that syn, but the server never sends a syn-ack in response back to the client, then that session would be seen as incomplete.

Could you please share the session detail info here and do packet captures on the firewall at the transmit, receive and drop stage.




Here is the screen shots and packet captures.  Hope this helps.

Packet Captures: Dropbox - PAN (doesn't look like I can upload the packet captures here) this is on the firewall handling the Client VPN traffic)

Traffic on FW handling Client VPN traffic


Receiving FW


Not applicable


wwe have the same network configuration, but I don't know what I need to configure for give the VPN client access to the remote site resources.

Can an any one help me withe the configuration?

thank you.

L6 Presenter

You may try to traceroute from servers to vpn clients and see what is wrong.seems to be routing issue.Try to add a route for a web server and forward its traffic for vpn subnet through tunnel.see if it works

Traceroute helped identify the problem and reading this post: Accessing all company networks with GlobalProtect client - turns out it was a route that needed to be added on the other side to return the traffic back to the client.  Looks like everything is working as expected.

cc: @

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!