PA-3020 ,7.1.8. PA has 3 tunnels with 3 sites.
Site1 - PA200 on other side tunnel traffic fine. ping from site1 to subnet behind Pa3020 works with 1472 mtu and fails after
Site2- Tried to migrated from ssg140 to PA-3020,other side Cisco 871. Traffic from PA-3020 to Site2 works fine.
But from Site2 to PA3020 can only ping. rdp,mail,port 80 traffic not working.
ping from site2 to subnet behind pa3020 works with 1394 mtu and fails with mtu above that.
Site3-Same issue as Site2 ,but mail worked. rdp,port 80 traffic not working.
ping from site 3 to subnet behind pa3020 works with 1410 mtu and fails with mtu above that.
PA3020 traffic logs shows just minimal byte traffic compared to working tunnel where after initial tcp handshake traffic flows.
Also packet capture shows retransmissions.
ssg140 has set flow tcp-mss.
All the tunnels have 1500 MTU size with no mss setup.
When you initiate the problem traffic from site 2 and 3, check if the session is getting formed or not.
> show session all filter source x.x.x.x destination y.y.y.y
Set up packet capture to see if the firewall is dropping any packets. https://live.paloaltonetworks.com/t5/Management-Articles/Using-Packet-Filtering-through-the-WebGUI/t...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!