Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Ipsec proxy Tunnel issue with multiple tunnels

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ipsec proxy Tunnel issue with multiple tunnels

HI Team,

 

I have configure Ipsec between PA and Cisco ASA, IPSEC is up but not traffic is passing. 

 

During the troubleshooting I have found for the proxy ID's configure in palo alto for some of the proxy id's only encapulation packet paloalto is sending and there is no decapusulation packet increasing for the proxy tunnel.

 

But in the same Ipsec tunnel other proxy ID's are working fine. My firewall is running 8.0.13 which is recommened by Palo alto.

 

Replay protection is already disabled, Phase 1 is having 24 hours and Phase 2 has 1 hour life time.

 

I'm not seeing issue in negotiation, The proxy tunnel which is having issue is in the init state in PA side when analysing through command show vpn ikesa gateway  gatewayname.

 

Please suggest what can be done further to check this issue.

 

Regards

Venky

3 REPLIES 3

HI Guys,

 

Do anyone able to get my issue

 

 

Hi @Venkatesan_radhakrishnan,

 

If you can see statistics for encrypted packets, this means that the IPsec SA for the problematic proxy ids are successfully negotiated and Palo Alto firewall is actually sending traffic through the tunnel.

 

So I would say that your problem is most probably on the other and of the tunnel - on the ASA. IPsec SA are up, which means the VPN settings are correct, BUT: Can you confirm that the traffic from the tunnel is allowed on the ASA? Can you confirm the rest of the path has a correct route back to the ASA? Is there any NAT applied on the tunnel traffic on the ASA?

 

Having the fact that you have some proxy ids up and running eliminates any issues with phase1 setting and peer reachability
Having the fact that the problematic proxy ids are also up, but you see only uni-directional traffic eliminates any issues with phase2 encryption domains/selectors.

 

 

HI Alex,

 

Thanks for your reply, I will look on the ASA side. 

 

I can understand this point Can you confirm the rest of the path has a correct route back to the ASA

 

I will check the remaning asap.

 

  • 2619 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!