- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-05-2014 08:52 AM
How do I check to see it the PA is dropping port 4500 traffic?
08-06-2014 08:41 AM
NO, It's not blocked by PAN. Your VPN gateway ( SonicWALL) is not accepting the IKE messages. The issue is not related to PAN.
Hope this helps.
Thanks
08-05-2014 08:58 AM
Hello Infotech,
There are mulitple ways to do so.
1. Packet capture with proper source/destination IP/Port.
2. From Traffic log
3. show session all filter source <> destination <> source-port <> and destination-port <>
Let me know if you need additional information.
Regards,
Hardik Shah
08-05-2014 09:54 AM
I see no port 4500 traffic at all, I don't see anything being blocked to or from port 4500
08-05-2014 09:56 AM
Can you do packet capture on firewall to make sure, no other device is blocking traffic for port 4500 inbetween.
08-05-2014 09:58 AM
I did a packet capture and I see no 4500 traffic present, blocked or anything else. the source is also from a remote vendor in the internet. I am see the ike 500 traffice going out from the vpn device and nothing else
08-05-2014 10:00 AM
Hi Infotech,
It means PAN is not receiving traffic on port 4500.
Can you check on other end firewall if its sending any traffic on port 4500 ?
Regards,
Hardik Shah
08-05-2014 10:02 AM
So that means its not an issue on the PA but an issue outside in the internet or the sender. The sender says that don't see any ike 500 traffice to respond too. I will see if I they can send some 4500 traffic
08-05-2014 10:14 AM
Can you also please check if you have any implicit deny rule configured at the bottom of the rule base on the PA. This at times may cause some unintended issues for traffic terminating on the device.
08-05-2014 10:23 AM
I have a clean up rule at the bottom but wouldn't it show up in the logs as dropped?
08-05-2014 10:24 AM
Hi Infotech,
Upload complete capture from PANW. I think something in between is not allowing packets on both 500/4500.
Regards,
Hardik Shah
08-05-2014 10:41 AM
Hello Infotech,
Please make sure NAT-traversal is enabled on both side firewalls to accept IKE on port 4500. During IKE negotiation, 3rd message onwards, port will flip to UDP 4500.
Traditionally, IPSec does not work when traversing across a device doing NAT. To circumvent this problem, NAT-T or NAT Traversal was developed. NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN between two gateways devices where a NAT device exists in front of one of the devices.
Thanks.
08-05-2014 11:02 AM
I dont' have any control over the remote site, but if I am able to send 500 ike traffice out into the internet and am not seeing 4500 traffic traying to come in not sure how nat-t would affect it
08-05-2014 11:13 AM
I do not have nat-t enabled on the palo side
08-05-2014 11:18 AM
If NAT-T is not enabled on PAN firewall, then could you please let us know, why are you expecting traffic on port 4500..?
Thanks
08-05-2014 11:23 AM
I have a vendor that creates a vpn tunnel using a fortinet device behind our PA 3020. The device initiates the tunnel,the ike 500 traffic I am seeing passing throught the PA into the internet, Then I would assume a device on the vendors side exchanges SA's with the 500 traffic should say okay and builds the ipsec/udp tunnel using port 4500. I am trying to confirm that we are making in past the pa firewall into the internet and not blocking a response from the vendor
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!