03-28-2017 09:56 PM
I have a working tunnel between Netscreen and Cisco 871. I tried to move this from Netscreen to PA3020.
The tunnel comes up. PA3020-local network-192.168.2.0/24 and remote-192.168.235.0/24.
Traffic from 2.0(palo side) to 235.0(cisco side) network is fine. But from 235.0(cisco side) to 2.0(palo side) we have issues
Only thing which works is ping. rdp,mail,port80 nothing works. The tunnel is part of trust with 2.0 in trust as well. All trust intrazone is allowed and I can see logs allowing. all interface mtu is 1500. Tried adjusting mtu to different setting 1350,1418 but still doesnt work. Reverted the tunnel to netscreen and works fine. On netscreen its policy based and no tunnel is involved so
cant check mtu.
03-28-2017 11:08 PM
If ping is working but TCP sessions aren't it could be asymmetric routing issue. Check routing and ingress/egress interfaces in logs.
And i'd suggest using different security zone for VPN traffic.
03-29-2017 02:52 AM
I have migrated tunnel which is working in the same setup. Its not a routing but mtu or mss adjust setup.
On netscreen I have set flow tcp-mss does that mean i will need to enable adjust mss on external interface.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!