Palo Alto troubleshooting tool for IPsec

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto troubleshooting tool for IPsec

L1 Bithead

Hello

 

I established an Ipsec tunnel (policy based) between palo Alto and Cisco FW.

phase 1 & phase 2 are up and running but trying to transfer data, fail.

Capture packet (merge recieved and transmit) shown

Source : SYN

Dest : SYN ACK

And then Dest :  retransmit SYN ACK.

 

If this capture is within transmit pcap, this mean the re transmission packet have been forwarded  into the IPSEC Tunnel (egress interface) ?

transmit.png

 

Previoulsy, I was working with Checkpoint and able to use command line FW MONITOR to know if my packet was forward/encrypted to the tunnel. (this mean problem is located on FW itself or after the FW.

Is it a tool that permitting to know if this SYN ACK packet is forwarded into Interface tunnel or not ?

 

Regards

 

 

 

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

Check the traffic logs to see why the traffic is getting blocked. Before this make sure you enable logging on your security policies. This should tell you where and why the traffic is getting blocked.

Security policy basics:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0

Could also be routing, make sure you put the destination subnet into your virtual router and point the destination at the tunnel.

 

Hope this helps.

 

Thanks for your reply,

 

Anyway, I don't have traffic blocked in logs (allowed but aged out), and the tcp handshake start with SYN and ACK, this mean not blocked.

I was suspecting routing issue, that's why (even the route is set as static route) I would like to know how to be sure, this ACK reply has been properly "pushed" to my tunnel interface?

 

Regards

Cyber Elite
Cyber Elite

Hello,

To check routing click the Networking tab at the top ->Virtual routers -> More Runtime Stats

Then look for a subnet that is on the Cisco side of the tunnel, then make sure it points to the tunnel. 

 

Regards,

Cyber Elite
Cyber Elite

I had the same issue with failing Data transfer, however i found this discussion and thanks for your helpful articles links, I manage my issue, waiting more useful discussion about Ipsec tunnel.

Cyber Elite
Cyber Elite

Hello,

Glad you found it useful. Always feel free to post any questions.

 

Cheers!

  • 2458 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!