Issues with ipsec traffic from PA3020 to Cisco 871.

Reply
Highlighted
L3 Networker

Issues with ipsec traffic from PA3020 to Cisco 871.

I have a working tunnel between Netscreen and Cisco 871. I tried to move this from Netscreen to PA3020.

The tunnel comes up. PA3020-local network-192.168.2.0/24 and remote-192.168.235.0/24.

Traffic from 2.0(palo side) to 235.0(cisco side) network is fine. But from 235.0(cisco side) to 2.0(palo side) we have issues

Only thing which works is ping. rdp,mail,port80 nothing works. The tunnel is part of trust with 2.0 in trust as well. All trust intrazone is allowed and I can see logs allowing. all interface mtu is 1500. Tried adjusting mtu to different setting 1350,1418 but still doesnt work. Reverted the tunnel to netscreen and works fine. On netscreen its policy based and no tunnel is involved so

cant check mtu.

Highlighted
L5 Sessionator

Re: Issues with ipsec traffic from PA3020 to Cisco 871.

If ping is working but TCP sessions aren't it could be asymmetric routing issue. Check routing and ingress/egress interfaces in logs.

 

And i'd suggest using different security zone for VPN traffic.

Highlighted
L3 Networker

Re: Issues with ipsec traffic from PA3020 to Cisco 871.

I have migrated tunnel which is working in the same setup. Its not a routing but mtu or mss adjust setup.

On netscreen I have set flow tcp-mss does that mean i will need to enable adjust mss on external interface.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!