Issue with traffic over ipsec tunnel.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issue with traffic over ipsec tunnel.

L3 Networker

PA-3020 ,7.1.8. PA  has 3 tunnels with 3 sites.


Site1 - PA200 on other side tunnel traffic fine. ping from site1 to subnet behind Pa3020 works with 1472 mtu and fails after



Site2- Tried to migrated from ssg140 to PA-3020,other side Cisco 871. Traffic from PA-3020 to Site2 works fine.

But from Site2 to PA3020 can only ping. rdp,mail,port 80 traffic not working.

ping from site2 to subnet behind pa3020 works with 1394 mtu and fails with mtu above that.


Site3-Same issue as Site2 ,but mail worked. rdp,port 80 traffic not working.

ping from site 3 to subnet behind pa3020 works with 1410 mtu and fails with mtu above  that.


PA3020 traffic logs shows just minimal byte traffic compared to working tunnel where after initial tcp handshake traffic flows.

Also packet capture shows retransmissions.


ssg140 has set flow tcp-mss.


All the tunnels have 1500 MTU size with no mss setup.











L6 Presenter



Are you able to log this with support? This one is not the easy one and require some expertise. You will get definitely quicker resolution. 

L4 Transporter

Hi Inderjit,


When you initiate the problem traffic from site 2 and 3, check if the session is getting formed or not.

> show session all filter source x.x.x.x destination y.y.y.y

Set up packet capture to see if the firewall is dropping any packets.




ACE 7.0, 8.0, PCNSE 7
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!