ipsec vpn issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ipsec vpn issue

L3 Networker

I configured ipsec vpn with palo alto to checkpoint.

pinging isp:

local/external ip(182.x.x.x) to peer ip(102.x.x.x) ping successful.

pinging local network to peer ip:

local pc(10.10.10.x) to peer ip(102.x.x.x) ping unsuccessful..tracert confirm drops on internet..ike not established(verified by show vpn ike-sa gateway)..following vpn troubleshooting doc.

ping 10.100.100.x(remote ip) from fw cli

ping remote pc (10.100.100.x) and pinging peer ip from firewall cli successful..but prblm is it doesn't take external ip(182.x.x.x) route..it takes another route(customer says vpn is connected to other fw too)

so fw takes that routes and successfully pings remote ip


then i put this command:

ping source 182.x.x.x host 102.x..x.x  ->successful

ping source 182.x.x.x host 10.100.100.x->unsuccessful..



after going to system logs->it shows ike phase 1 aborted msg and sometimes both phase 1 and phase 2 succeeded logs..but ipsec tunnel is not showing up.

Can i tell customer to disconnect same vpn connection which is using another route to reach remote ip successfully(directly connected i think) ??

Please suggest..

2 REPLIES 2

L7 Applicator

Hello Javith,

The IPSec tunnel is basically for user traffic coming from local Private subnet (10.10.10.x) to the remote private subnet (10.100.100.x). So, are you able to ping from source 10.10.10.x to destination 10.100.100.x..?   Also, if you want to initiate from your external interface IP, then it should be mentioned on the proxy ID's (appropriate local and remote IP's).

Thanks

L7 Applicator

Can you check the phase 1 and phase 2 status and see if the tunnel is up and not passing traffic or not coming up at all.

This document shows how to confirm the status.

How to Troubleshoot VPN Connectivity Issues

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2437 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!