ipsec vpn issue

Reply
Highlighted
L3 Networker

ipsec vpn issue

I configured ipsec vpn with palo alto to checkpoint.

pinging isp:

local/external ip(182.x.x.x) to peer ip(102.x.x.x) ping successful.

pinging local network to peer ip:

local pc(10.10.10.x) to peer ip(102.x.x.x) ping unsuccessful..tracert confirm drops on internet..ike not established(verified by show vpn ike-sa gateway)..following vpn troubleshooting doc.

ping 10.100.100.x(remote ip) from fw cli

ping remote pc (10.100.100.x) and pinging peer ip from firewall cli successful..but prblm is it doesn't take external ip(182.x.x.x) route..it takes another route(customer says vpn is connected to other fw too)

so fw takes that routes and successfully pings remote ip


then i put this command:

ping source 182.x.x.x host 102.x..x.x  ->successful

ping source 182.x.x.x host 10.100.100.x->unsuccessful..



after going to system logs->it shows ike phase 1 aborted msg and sometimes both phase 1 and phase 2 succeeded logs..but ipsec tunnel is not showing up.

Can i tell customer to disconnect same vpn connection which is using another route to reach remote ip successfully(directly connected i think) ??

Please suggest..

L7 Applicator

Re: ipsec vpn issue

Hello Javith,

The IPSec tunnel is basically for user traffic coming from local Private subnet (10.10.10.x) to the remote private subnet (10.100.100.x). So, are you able to ping from source 10.10.10.x to destination 10.100.100.x..?   Also, if you want to initiate from your external interface IP, then it should be mentioned on the proxy ID's (appropriate local and remote IP's).

Thanks

Highlighted
L7 Applicator

Re: ipsec vpn issue

Can you check the phase 1 and phase 2 status and see if the tunnel is up and not passing traffic or not coming up at all.

This document shows how to confirm the status.

How to Troubleshoot VPN Connectivity Issues

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!