nat-t not enabled on vpn tunnel has impact on other tunnels

Reply
Highlighted
L0 Member

nat-t not enabled on vpn tunnel has impact on other tunnels


i just had a weird behavior. i have several ipsec tunnels for clients using the ncp secure entry client.

they all have tunnels configured with certificates and a dynamic peer ip. yesterday i created two new tunnels but forgot to check the nat-t checkbox. and some of the users couldn't get a connection via rdp. my understanding was that it shouldn't impact other vpn tunnels as they established the connection to the correct tunnel with nat-t enabled. i don't know if its really the nat-t checkbox but it was the only difference to the other tunnels i configured.

pan os version is 8.0.5 and app version is 793-4594.


is this a design failure?

Highlighted
L3 Networker

Re: nat-t not enabled on vpn tunnel has impact on other tunnels

Hi,

 

Sorry I think a bit more clarity is required.

 

If NAT-T is required, but not enabled, the ipsec/phase2 should not stand up at all and your users wouldn't be able to get at anything (not simply RDP). NAT-T should impact the establishment of your new tunnels, I don't see how (short of a very unusual bug) that it would affect encap traffic inside another tunnel.

 

  1. Did the new tunnels fully establish?
  2. Could users access services over the new tunnel?
  3. Were services other than RDP affected on the other (historical) tunnels?
  4. Have you done a config audit and compared the last known working config, to the new config to verify that that was the only change?
  5. Are all your tunnels using static peer IP addressing, or are some of them configured as dynamic?

 

Thanks,

Shannon

 

 

Highlighted
L0 Member

Re: nat-t not enabled on vpn tunnel has impact on other tunnels

Hi Shannon,

 

thank you for your help.

 

to answer your questions.

 

1. i could not test the new tunnels, because i was not at customers side and i can not use the ncp client anymore (have no license)

2. could also not be tested

3. yes even a ping does'nt go through the tunnel. But there were other tunnels that were not affected and worked properly.

4. i compared the configuration of other tunnels to the new tunnels and this was the only difference. as soon as i disabled the new tunnels everything worked just fine again.

5. the tunnels using ncp as client are all dynamic

 

 Kind Regards,

 

Gregor

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!