This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

ipsec-esp / Protocol 50 invisible in vwire mode ?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ipsec-esp / Protocol 50 invisible in vwire mode ?

register
L1 Bithead

‎08-27-2013 08:01 AM

We have a Vwire configuration with a paloalto (5.0.6) between a third-party router and the wan port.

Security policy is allow any - any for both directions/security zones, log at session start an end.

Everything works (as expected), all VPN Tunnels on the third party device are up and running, but we dont see any ipsec-esp traffic in the traffic monitor, or ACC stats.

If we make a packet capture on the paloalto we do see that the ipsec-esp packets are passing through the vwire.

We already tried du define two additional rules with ipsec as application - but that does not change anything.

Any hints ?

0 Likes Likes
5 REPLIES 5

kadak
L5 Sessionator

‎08-27-2013 11:29 AM

Hello,

Are we able to see live sessions on the the paloalto for protocol 50?

The command to check that would be:

> show session all filter protocol 50

Regards,

Kunal Adak

0 Likes Likes

register
L1 Bithead
In response to kadak

‎08-27-2013 11:51 PM

yes, we do see them.

0 Likes Likes

sraghunandan
L5 Sessionator

‎08-29-2013 11:22 AM

Can you paste the o/p of the following commands:-

debug log-receiver statistics

show system logdb-quota

show system disk-space

0 Likes Likes

mbutt
L5 Sessionator

‎08-29-2013 11:31 AM

It is possible that the traffic for the ipsec-udp is minimal and the criteria you have set it does not show in that.

Also keep in mind the data is logged at the session end.

Verify that the setting are expanded as per need for Time, sort by and top

Capture.JPG.jpg

Also anther thing you can do is check in the traffic logs to verify if you have logs for it by using the filter.

You can use following filter ( app eq ipsec-esp-udp ) and ( app eq ipsec-esp )

If nothing shows up here then do it based on the traffic rule e.g ( rule eq rule_name )

If the traffic shows up now. Then verify what is the application it is showing. If it is showing up undecided or the actual applicaiton name.

If it is showing up as actual application name then as mentioned above it is just possible that you have minimal traffic for it and it is just now showing up in ACC tab.

Hope this helps.
Thanks

Numan

0 Likes Likes

bdeschut
L4 Transporter

‎08-29-2013 11:13 PM

Perhaps enable logging on session start to check if you see the logs then? When logging on session end, you will only see the log when the session end, so if there are keep alive packets send through the tunnel, you won't see a log.

  • 3762 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks