This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IPSec-ESP No matching record

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec-ESP No matching record

Go to solution
ClintL
L2 Linker

‎08-26-2014 01:54 PM

The last few weeks I have noticed a large amount of traffic on the Network Monitor coming from IPSec-ESP.  I moved several VPN tunnels off our old WatchGuard to our Palo Alto PA-3020 around the time this started.  When I click on the application itself to filter it I see that it cannot identify anything about the traffic.  Is this normal?  Shouldn't it at least be able to identify the source or destination of the traffic?

ipsec.png

Labels:
0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
HULK
L7 Applicator
In response to ClintL

‎08-26-2014 03:21 PM

Hello Clint,

Is there any active session present on this PAN FW..? You may apply below mentioned CLI command:

> show session all filter protocol 50

ACC will give you the live session information, where traffic log will give you session information at the start or end.

Thanks

View solution in original post

15 REPLIES 15

Go to solution
HULK
L7 Applicator

‎08-26-2014 02:04 PM

Hello Clint,

ESP traffic is encrypted, hence, you would not be able to see the content of the packet. There might be an another possibility, if users are conneting through any VPN client, in that case also, firewall will identify as ESP traffic.

Thanks

0 Likes Likes

Go to solution
ClintL
L2 Linker
In response to HULK

‎08-26-2014 02:07 PM

Hey Hulk,

Yeah that's what I figured but it just seems weird it can't even tell where it's coming from.  No VPN clients in this case.  Just regular VPN tunnels.

Thanks!

0 Likes Likes

Go to solution
hshah
L6 Presenter

‎08-26-2014 02:11 PM

Hi Clint,

To get source and destination information of traffic, go to Monitor > Traffic > Type application "IPSec-ESP". You will find number of logs.

You will have to take Educated guess to find out origin of the traffic.

If Origin of the traffic is your own firewall, than dont worry its intended IPsec Traffic.

If not than there should be something behind the firewall, try to locate IP.

Regards,

Hardik Shah

0 Likes Likes

Go to solution
HULK
L7 Applicator
In response to ClintL

‎08-26-2014 02:20 PM

Hello Clint,

You are correct. The ACC report will not show the traffic details i.e source, destination etc. As HArdik said, you can filter traffic in Logs to get details information.

FYI:

ipsec-esp.jpg

Hope this helps.

Thanks

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks