Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
04-16-2017 03:42 PM
What happens behind the scenes when you run..
test vpn ike-sa gateway <name>
or
test vpn ipsec-sa tunnel <name>
Is there a debug which will show you the test packets sent/received?
04-16-2017 08:04 PM - edited 04-16-2017 08:08 PM
test vpn ike-sa gateway <name>
Will negotiate VPN Phase 1 with VPN Peer.
test vpn ipsec-sa tunnel <name>
Will negotiate VPN Phase 1 and if this is successful then Phase 2 with VPN Peer.
If you troubleshoot VPN and try to initiate traffic from workstation they you have to have routing and firewall rules correct.
Using those commands help you to verify if underlying VPN is set correctly without checking routing or security policies.
If you use those commands then your firewall is initiator. If VPN config does not match then responder does not tell you what is wrong so not much troubleshooting you can do at initiator side.
If Palo is responder then you can take packet capture to troubleshoot Phase 1 settings and ike pcap to troubleshoot Phase 2.
04-17-2017 03:22 AM
In addition to the @Raido_Rattameister comment, VPN the only effective way to troubleshoot is to check the logs from the responder side. Responder side will say why VPN is failing and record everything into the log file but it will not send this info to the initiator. This is per design. Similar we can compare when we submitting our credentials to the other side. We only see a message "your username or password is incorrect". But another side has all records exactly why.
04-16-2017 08:04 PM - edited 04-16-2017 08:08 PM
test vpn ike-sa gateway <name>
Will negotiate VPN Phase 1 with VPN Peer.
test vpn ipsec-sa tunnel <name>
Will negotiate VPN Phase 1 and if this is successful then Phase 2 with VPN Peer.
If you troubleshoot VPN and try to initiate traffic from workstation they you have to have routing and firewall rules correct.
Using those commands help you to verify if underlying VPN is set correctly without checking routing or security policies.
If you use those commands then your firewall is initiator. If VPN config does not match then responder does not tell you what is wrong so not much troubleshooting you can do at initiator side.
If Palo is responder then you can take packet capture to troubleshoot Phase 1 settings and ike pcap to troubleshoot Phase 2.
04-17-2017 03:22 AM
In addition to the @Raido_Rattameister comment, VPN the only effective way to troubleshoot is to check the logs from the responder side. Responder side will say why VPN is failing and record everything into the log file but it will not send this info to the initiator. This is per design. Similar we can compare when we submitting our credentials to the other side. We only see a message "your username or password is incorrect". But another side has all records exactly why.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
