05-06-2022 08:29 AM
We've done plenty of s2s IPSEC VPN tunnels between our DC firewalls and branch offices. I have a new branch office which we are configuring the same way as the others, yet the IPSEC VPN is not operating as expected. The tunnel is showing as up and the IKE Phase 1 & 2 are successful. However, on both firewalls, when I go into Tunnel Info all I'm showing is packets & bytes being encapsulated with the number incrementing but the decap column stays at 0.
Has anyone experienced this issue and what have you done to resolve? I've confirmed my configuration looks good, I've rebooted the ESXi host, and rebooted the firewall.
05-06-2022 08:34 AM
Hi Mate,
you would need to check the filtered global counters.. Good article on same below
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUyCAK
MTU, replay attack issue or possible environmental issue with the esxi host or networking i suspect.
regards
Rob
05-06-2022 09:06 AM
Thanks for that article. I did forget to mention that I tried enabled replay protection on both ends and also disabling replay protection on both ends with no success and still getting the flow_tunnel_decap_err.
I have a case open with TAC on this and will probably wait for them to decrypt the IKE & ESP traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
