One way traffic over IPSEC tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

One way traffic over IPSEC tunnel

L0 Member

Hi All,

Just having an issue  with a newly created IPSEC tunnel on a new PA-500.  I have tried 4 different devices at the remote end with the same results, so I'm really thinking my problem is due to mis-configuration at the PA-500 end.

The tunnel comes up fine every time (Green lights), but I can only ever achieve traffic flow from Site B (remote) to Site A (behind PA-500)... not the other way.  I can see the Site A to Site B traffic in the PA monitor going out the tunnel with an allow, but it never seems to find its destination.

To confuse the issue a bit, we're in the process of migrating networks and using the PA-500 as a bit of a middle man between the 2 networks (note the 2 Zone1's), so the topology is:

Site A subnet: 192.168.0.0/16 (though the tunnel is set up for 192.168.0.0/16)

Site B subnet: 192.168.250.0/24

PA-500: Interface = ethernet1/1; Zone = "Zone1" (routes to our new network)

PA-500: Interface = ethernet1/2; Zone = "Internet"

PA-500: Interface = ethernet1/6; Zone = "Zone1" (routes to our existing network)

PA-500: Interface = tunnel.2; Zone = "Rmt1" (bound to the IPSEC tunnel in question)

I'm assuming this isn't a routing issue because it makes it from B to A, but in summary we have (among others) static routes in "Router-1" as follows:

192.168.0.0/16 Interface ethernet1/6 (this is where most of the 192.168 subnets are currently)

192.168.250.0/24 Interface tunnel.2 (so the more direct route goes out the tunnel)

I have security policies as follows:

Source Zone "Rmt1", Destination Zone "Zone1", any, any, any... Allow

Source Zone "Zone1", Destination Zone "Rmt1", any, any, any... Allow

As mentioned before, I can see in the monitor:

"Zone1" -> "Rmt1", 192.168.100.115 -> 192.168.250.10, allow, Ingress = eth1/6, Egress = tunnel2

Trace routes from Site A show the entire path from site A to the PA-500 eth1/6 but they time out after that.

Hopefully I've covered everything.  I must be missing something simple.  Any help is appreciated.

Thanks,

Steve.

5 REPLIES 5

L6 Presenter

What's the output from the following commands?

>show vpn ike-sa

>show vpn ipsec-sa

What does the system logs show when you initiate traffic from remote to pan and vice versa?

What's the output from?

>show routing route

When you ping from remote to PAN, can you execute the following and provide the output?

>show session all filter source x.x.x.x (insert remote ip here)

Hi,


Thanks for the reply.  Below are the answers to your questions.  I've modified IP addresses where applicable for privacy.


Q/ What's the output from the following commands?

A/

>show vpn ike-sa

phase-1 SAs

GwID Peer-Address           Gateway Name           Role Mode Algorithm              Established     Expiration      V  ST Xt Phase2

---- ------------           ------------           ---- ---- ---------              -----------     ----------      -  -- -- ------

   5 58.99.39.99            gw-glh-crs             Resp Main PSK/DH2/3DES/SHA1      Feb.12 22:37:43 Feb.13 06:37:43 v1  9  2      1

   5 58.96.38.99            gw-glh-crs             Init Main PSK/ NO/ TBD/ TBD                     *Feb.12 22:41:19 v1 10  5      0

Show IKEv1 IKE SA: Total 1 gateways found. 2 ike sa found.

Show IKEv2 IKE SA: Total 1 gateways found.

phase-2 SAs

GwID Peer-Address           Gateway Name           Role Algorithm               SPI(in)  SPI(out) MsgID    ST Xt

---- ------------           ------------           ---- ---------               -------  -------- -----    -- --

   5 58.96.38.99            gw-glh-crs             Resp DH2 /tunl/ESP/3DES/SHA1 953DAD50 BA4649F7 564D3213  9  1

   5 58.96.38.99:0          gw-glh-crs             Init     /    /   /    /     00000000 00000000 00000000  0  0

Show IKEv1 phase2 SA: Total 1 gateways found. 2 ike sa found.
 
>show vpn ipsec-sa

GwID TnID Peer-Address           Tunnel(Gateway)                                Algorithm     SPI(in)  SPI(out) life(Sec/KB)

---- ---- ------------           ---------------                                ---------     -------  -------- ------------

   5   16 58.96.38.99            vpn-glh-crs:sub.192(gw                         ESP/3DES/SHA1 953DAD50 BA4649F7   3236/0

Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.



Q/ What does the system logs show when you initiate traffic from remote to pan and vice versa?

A/

The "System" log doesn't really output anything different that I can see when initiating connections either way.  However a new message has entered the picture.  This is repeating every 10sec.



IKE phase-1 SA is expired SA: 203.63.68.57[500]-58.96.38.99[500] cookie:xxxxxx.

Q/ What's the output from?
 

A/
>show routing route

VIRTUAL ROUTER: Router-1 (id 1)

  ==========

destination              nexthop              metric flags      age   interface          next-AS

0.0.0.0/0                203.63.68.58             10 A S              ethernet1/2

10.0.0.0/8               10.10.10.1               10 A S              ethernet1/6

10.10.10.0/24            10.10.10.2                0 A C              ethernet1/6

10.10.10.2/32            0.0.0.0                   0 A H

10.10.20.0/24            0.0.0.0                   1   R              ethernet1/1

10.10.20.0/24            10.10.20.1                0 A C              ethernet1/1

10.10.20.1/32            0.0.0.0                   0 A H

10.99.99.0/24            0.0.0.0                  10 A S              tunnel.1

10.99.99.1/32            0.0.0.0                   0 A H

10.99.99.2/31            10.99.99.2               10 A S              tunnel.1

10.99.99.4/30            10.99.99.4               10 A S              tunnel.1

10.99.99.8/29            10.99.99.8               10 A S              tunnel.1

10.99.99.16/28           10.99.99.16              10 A S              tunnel.1

10.99.99.32/27           10.99.99.32              10 A S              tunnel.1

10.99.99.64/26           10.99.99.64              10 A S              tunnel.1

10.99.99.128/26          10.99.99.128             10 A S              tunnel.1

10.99.99.192/27          10.99.99.192             10 A S              tunnel.1

10.99.99.224/28          10.99.99.224             10 A S              tunnel.1

10.99.99.240/29          10.99.99.240             10 A S              tunnel.1

10.99.99.248/30          10.99.99.248             10 A S              tunnel.1

10.99.99.252/31          10.99.99.252             10 A S              tunnel.1

10.99.99.254/32          10.99.99.254             10 A S              tunnel.1

192.168.0.0/16           10.10.10.1               10 A S              ethernet1/6

192.168.5.0/24           10.10.20.4               10 A S              ethernet1/1

192.168.195.0/24         0.0.0.0                  10 A S              tunnel.2

192.168.250.0/24         0.0.0.0                  10 A S              tunnel.2

203.63.68.56/30          203.63.68.57              0 A C              ethernet1/2

203.63.68.57/32          0.0.0.0                   0 A H

total routes shown: 28


When you ping from remote to PAN, can you execute the following and provide the output?
 
>show session all filter source 58.96.38.99 (insert remote ip here)

flags: *:decrypted, N:NAT, S:src NAT, D:dst NAT, B:src and dst NAT

-------------------------------------------------------------------------------

ID        application     state   type flag   src[sport]/zone/proto (translated IP[port])

                                              dst[dport]/zone (translated IP[port])

-------------------------------------------------------------------------------

17916     ssh             ACTIVE  FLOW  ND    58.96.38.99[2711]/INTERNET/6 (58.96.38.99[2711])

                                              203.63.68.57[2221]/ARD (10.10.20.10[22])

17799     ike             ACTIVE  FLOW        58.96.38.99[500]/INTERNET/17 (58.96.38.99[500])

                                              203.63.68.57[500]/INTERNET (203.63.68.57[500])

17737     ssh             ACTIVE  FLOW  ND    58.96.38.99[2611]/INTERNET/6 (58.96.38.99[2611])

                                              203.63.68.57[2221]/ARD (10.10.20.10[22])

Display 1-3/3 sessions

...and from the other way


admin@PA-500(active)> show session all filter source 192.168.100.115

flags: *:decrypted, N:NAT, S:src NAT, D:dst NAT, B:src and dst NAT

-------------------------------------------------------------------------------

ID        application     state   type flag   src[sport]/zone/proto (translated IP[port])

                                              dst[dport]/zone (translated IP[port])

-------------------------------------------------------------------------------

18130     ping            ACTIVE  FLOW        192.168.100.115[512]/ARD/1 (192.168.100.115[512])

                                              192.168.250.10[28344]/GLH-CRD (192.168.250.10[28344])

Display 1-1/1 sessions


Hope that answers your questions correctly?  Thanks for looking into it.

Steve.

Hmmmm,

When you initiate that traffic from the system logs, any indication of phase 2 having issues in relationship to proxy ids? I should have been more precise in asking for you to source the IP by utilizing the LAN IP from the remote end. Have you tried bringing down your tunnel and then initiating that continuous ping from 192.168.250.0/24 to the PAN?

>clear vpn ike-sa gateway gw-glh-crs

<clear vpn ipsec-sa tunnel vpn-glh-crs:sub

Look at the system logs soon thereafter. Also, do you have a clean up rule in your security policies? Any chance you can temporarily disable that during your debug of this issue? 

-Renato    

Hi Renato,

Thanks very much for your input.  The problem is now resolved, however I'm not really sure what fixed it.  Somewhere along the line with me re-trying differnet models I must have corrected a very simple error that got it working.

Thanks again,

Steve.

Hi,

I am having the same problem here. I really don't get what I am doing wrong.

Best regards,

Adrian

  • 6224 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!