IPSec / returning ESP packets dropped when terminating interface is in a different zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec / returning ESP packets dropped when terminating interface is in a different zone

L0 Member

Hi all,

I have an IPSec tunnel connecting to an old SSG. Tunnel came up successfully and SSG can see the traffic and is returning correctly into the tunnel. However PAN's decrypt counter remains 0. When i did a packet capture, the returning ESP packet is dropped shown below Frame 43 and 47:

dropped-ESP.png

The setup i have is:

 

When i change loopback.1 to zone "outside", everything works. Any suggestion or help is very much appreciated. Thanks in advance.

 

ModelPA-820
Software Version9.0.2-h4

 

Thank you,
Jason

3 REPLIES 3

Cyber Elite
Cyber Elite

I'd recommend leaving the loopback on the untrust as that's the actual place where you want to terminate tunnels

 

Is there a specifc use case for having it in DMZ on a loopback (just curious)

 

have you captured any global counters? these could tell you what exactly is causing the drop

> debug dataplane packet-diag set filter match source <src> destination <dst>
> debug dataplane packet-diag set filter match source <dst> destination <src>
> debug dataplane packet-diag set filter on
> show counter global filter delta yes packet-filter yes (establishes the delta start)
> show counter global filter delta yes packet-filter yes 
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks @reaper 

the only reason is that address (subnet) is supposed to be a DMZ range.

 

I just found this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsiCAC 

Cause

The issue is the tunnel terminates on an interface in a zone different from where the ESP (Encapsulation Security Payloads) packets originate.


 


i'm curious as to why it is design this way.

and correct me if i'm wrong all IPSec tunnels have to terminate on the same zone as the one on the Internet?

 

i'll get those global counters just to confirm the exact drops and update later.

if you can set the loopback in an IP range that is not configured on the external interface, this issue will likely not happen

I suspect there is a conflict when the packet is received, the destination zone will be determined by using the routing table, the external interface is the actual owner of the ip subnet

if you split up the external subnet and set one segment on the DMZ interface and then set up the loopback in that subnet with the dmz zone, there should not be an issue

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 6754 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!