I can reach a subnet trough a tunnel without proxy ID

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

I can reach a subnet trough a tunnel without proxy ID

L3 Networker

Hello Community,


I´m having a strange behavior after configuring an IPSec tunnel, the situation is that I can ping a subnet trough the tunnel which hasn´t a proxy ID. This subnet has an entry in the virtual router and the tunnel interface points to it, there´s also a
security policy which allows this traffic but as far as I know if this subnet has no proxy ID the communication trough the tunnel wouldn´t be possible. In summary:


To reach the subnet A.B.C.X trough an IPSec tunnel I configured:
- IPSec tunnel (IKE Gateway, IPSec Crypto Profile, tunnel interface, ---> Proxy ID)
- Security rule
- virtual router


The strange behavior is that I can ping a subnet A.B.C.Y trough the same tunnel, but there isnt ProxyID for this subnet in the tunnel, only a route in the virtual router with the tunnel interface pointing to the subnet A.B.C.Y


Any ideas about why this may be happening??


Thank you in advance,



L7 Applicator

Hi @Carracido


  • PAN-OS version?
  • IKEv1 or v2?


So you already have one proxy ID configured and traffic is also flowing between subnets without proxy ID? Did you check the tunnel status and the IPSec SAs on the cli to see what phase 2 tunnel is established?


L6 Presenter



PA uses interface (route-based) to encrypt all traffic or going into the tunnel. Proxy IDs are needed to establish P2 and if peer side is policy-based VPN FW/Router. Is your peer configured for policy or route based VPN? 

You still have an option to deny that traffic with the security policy 

Cyber Elite
Cyber Elite


Whatever your peer is appears to also be a route based system, which means you don't really need proxy IDs. My current list of route-based is Firewalls that support route-based Firewalls: Palo Alto Firewalls, Juniper SRX, Juniper Netscreen, and Checkpoint but there could be more that I simply haven't come across yet. 

L7 Applicator

Yes, with route based VPN Proxy IDs aren't needed but if you do have one configured, there shouldn't be an SA in addition to the configured proxy ID. Of course route based with is the best way to configure it, but thats, as I understood, not the point.

And because of the described situation I assume @Carracido uses IKEv2

As mentioned you don't need Proxy ID with Palo.

If you leave it blank it will still send it over but in form of

If you want to seperate different subnet traffic into different tunnels you can still use Proxy ID with between 2 route based VPN devices also as it might give some performance advantages 🙂

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L3 Networker

Hi guys,


I thank you all for answering.


I´m using IKEv1 with route-based peers, thank to your answers I can confirm that I don´t need Proxy IDs for this scenario.

Thanks and Regards,


Could you explain the point with the performance advantages with proxy IDs?

Different SA associations can be processed by different CPUs in the firewall.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Ah ok, so only something to consider with the bigger PA series 😉

I would not worry about it yes.

With PA200 and single core does not have any reason.

Also low vpn volume is not worth effort to play with ProxyID.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011


Am I right that this only matters starting with the 5000 series and for example on a 5050 is you have more than 2 Gbps of IPsec traffic (-> more than half of the platform max IPsec throughput of 4 Gbps) and all this in one VPN connection

  • 11 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!