Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-12-2019 03:20 AM
Hi all,
I have an IPSec tunnel connecting to an old SSG. Tunnel came up successfully and SSG can see the traffic and is returning correctly into the tunnel. However PAN's decrypt counter remains 0. When i did a packet capture, the returning ESP packet is dropped shown below Frame 43 and 47:
The setup i have is:
When i change loopback.1 to zone "outside", everything works. Any suggestion or help is very much appreciated. Thanks in advance.
| Model | PA-820 |
| Software Version | 9.0.2-h4 |
Thank you,
Jason
07-18-2019 02:51 AM
I'd recommend leaving the loopback on the untrust as that's the actual place where you want to terminate tunnels
Is there a specifc use case for having it in DMZ on a loopback (just curious)
have you captured any global counters? these could tell you what exactly is causing the drop
> debug dataplane packet-diag set filter match source <src> destination <dst> > debug dataplane packet-diag set filter match source <dst> destination <src> > debug dataplane packet-diag set filter on > show counter global filter delta yes packet-filter yes (establishes the delta start) > show counter global filter delta yes packet-filter yes
07-18-2019 06:36 PM
Thanks @reaper
the only reason is that address (subnet) is supposed to be a DMZ range.
I just found this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsiCAC
CauseThe issue is the tunnel terminates on an interface in a zone different from where the ESP (Encapsulation Security Payloads) packets originate.
i'm curious as to why it is design this way.
and correct me if i'm wrong all IPSec tunnels have to terminate on the same zone as the one on the Internet?
i'll get those global counters just to confirm the exact drops and update later.
07-19-2019 04:52 AM - edited 07-19-2019 04:53 AM
if you can set the loopback in an IP range that is not configured on the external interface, this issue will likely not happen
I suspect there is a conflict when the packet is received, the destination zone will be determined by using the routing table, the external interface is the actual owner of the ip subnet
if you split up the external subnet and set one segment on the DMZ interface and then set up the loopback in that subnet with the dmz zone, there should not be an issue
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
