i just had a weird behavior. i have several ipsec tunnels for clients using the ncp secure entry client.
they all have tunnels configured with certificates and a dynamic peer ip. yesterday i created two new tunnels but forgot to check the nat-t checkbox. and some of the users couldn't get a connection via rdp. my understanding was that it shouldn't impact other vpn tunnels as they established the connection to the correct tunnel with nat-t enabled. i don't know if its really the nat-t checkbox but it was the only difference to the other tunnels i configured.
pan os version is 8.0.5 and app version is 793-4594.
is this a design failure?
Sorry I think a bit more clarity is required.
If NAT-T is required, but not enabled, the ipsec/phase2 should not stand up at all and your users wouldn't be able to get at anything (not simply RDP). NAT-T should impact the establishment of your new tunnels, I don't see how (short of a very unusual bug) that it would affect encap traffic inside another tunnel.
thank you for your help.
to answer your questions.
1. i could not test the new tunnels, because i was not at customers side and i can not use the ncp client anymore (have no license)
2. could also not be tested
3. yes even a ping does'nt go through the tunnel. But there were other tunnels that were not affected and worked properly.
4. i compared the configuration of other tunnels to the new tunnels and this was the only difference. as soon as i disabled the new tunnels everything worked just fine again.
5. the tunnels using ncp as client are all dynamic
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!