Port 4500 ipsec/udp traffice

Check the route back to the client. Looks like it's not making it back through the firewall. Is there another path it may be taking?

total byte count(c2s)         : 2648352

total byte count(s2c)         : 0

Hello Infotech,

As per the output:

Session           61416

        c2s flow:
                source:      172.17.1.5 [DR-DMZ]
                dst:         199.169.208.252
                proto:       17
                sport:       500             dport:      500
                state:       ACTIVE          type:       FLOW
                pbf rule:    Fedline 12  >>>>>>>>>>>>>>>>>>>> traffic going through PBF rule

        s2c flow:
     

        start time                    : Mon Aug  4 15:10:55 2014
        timeout                       : 600 sec
        time to live                  : 594 sec
        total byte count(c2s)         : 2648352
        total byte count(s2c)         : 0 >>>>>>>>>>>>>>>>>> no packer received from Server-to-client flow
        layer7 packet count(c2s)      : 9008
        layer7 packet count(s2c)      : 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        vsys                          : vsys1
        application                   : ike
        rule                          : Rule 6 >>>>>>>>>>>>>>>>> security rule
        session to be logged at end   : True
        session in session ager       : True
        session synced from HA peer   : False
        address/port translation      : source + destination
        nat-rule                      : Fedline_DR(vsys1) >>>>>>>>>>>>>>>>>>>>>>>>>> traffic is getting NAT'd in PAN firewall, Hence, make sure, NAT-traversal is enabled on both side VPN gateways.
      
        ingress interface             : vlan.999  >>>>>>>>>>>>>>>>> packet incoming interface
        egress interface              : ethernet1/3 >>>>>>>>>>>>>>>>> packet outgoing interface.
        session QoS rule              : N/A (class 4)
admin@PA-3020_DR>

Hope this helps.

Thanks

Right that is the whole issue that the traffic is not coming back from the vendor. The ike 500 is trying to initiate the tunnel and it doesn't appear its getting a response back from the destination locate and the tunnel is not building but I don't see anything being blocked from coming into the firewall

Just to be sure I am looking in the right place where is the nat-t selected because when I do in to the nat policy I don't see anything related to nat -t on the PA

NAT-T is a IKE parameter, not related to your NAT policy. If the IKE packets are getting NAT'd throughout the path, you have to enable NAT-Traversal on both VPN gateways ( not in the PAN firewall). Once you will enable this, the VPN gateway will exchange a NAT-Discovery messages during IKE Phase-1 negotiation, and then negotiation shift to UDP /4500.

Ref DOC:

NAT traversal - Wikipedia, the free encyclopedia

http://www.ietf.org/rfc/rfc3947.txt

Hope this helps.

Thanks

I do not have any access or control over the remote firewall that is a 3rd party device. So where do you configure nat-t on the PA?

I found where to configure nat-t on the PA but it shouldn't matter because as discussed earlier the fortinet is only passing through the PA . The VPN is not configured on the PA but is created by the fortinet(which is a 3rd party device on the local and remote site).

For an example: (in case any VPN tunnel terminates into PAN firewall and packet is getting NAT'd while traversing)

Thanks

You have to discuss this with 3rd party.