This is what I got
Session 61416
c2s flow:
source: 172.17.1.5 [DR-DMZ]
dst: 199.169.208.252
proto: 17
sport: 500 dport: 500
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
pbf rule: Fedline 12
s2c flow:
source: 199.169.208.252 [Outside]
dst: 66.94.196.101
proto: 17
sport: 500 dport: 500
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Mon Aug 4 15:10:55 2014
timeout : 600 sec
time to live : 594 sec
total byte count(c2s) : 2648352
total byte count(s2c) : 0
layer7 packet count(c2s) : 9008
layer7 packet count(s2c) : 0
vsys : vsys1
application : ike
rule : Rule 6
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : Fedline_DR(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : vlan.999
egress interface : ethernet1/3
session QoS rule : N/A (class 4)
admin@PA-3020_DR>
Check the route back to the client. Looks like it's not making it back through the firewall. Is there another path it may be taking?
total byte count(c2s) : 2648352
total byte count(s2c) : 0
Hello Infotech,
As per the output:
Session 61416
c2s flow:
source: 172.17.1.5 [DR-DMZ]
dst: 199.169.208.252
proto: 17
sport: 500 dport: 500
state: ACTIVE type: FLOW
pbf rule: Fedline 12 >>>>>>>>>>>>>>>>>>>> traffic going through PBF rule
s2c flow:
start time : Mon Aug 4 15:10:55 2014
timeout : 600 sec
time to live : 594 sec
total byte count(c2s) : 2648352
total byte count(s2c) : 0 >>>>>>>>>>>>>>>>>> no packer received from Server-to-client flow
layer7 packet count(c2s) : 9008
layer7 packet count(s2c) : 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
vsys : vsys1
application : ike
rule : Rule 6 >>>>>>>>>>>>>>>>> security rule
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : Fedline_DR(vsys1) >>>>>>>>>>>>>>>>>>>>>>>>>> traffic is getting NAT'd in PAN firewall, Hence, make sure, NAT-traversal is enabled on both side VPN gateways.
ingress interface : vlan.999 >>>>>>>>>>>>>>>>> packet incoming interface
egress interface : ethernet1/3 >>>>>>>>>>>>>>>>> packet outgoing interface.
session QoS rule : N/A (class 4)
admin@PA-3020_DR>
Hope this helps.
Thanks
Right that is the whole issue that the traffic is not coming back from the vendor. The ike 500 is trying to initiate the tunnel and it doesn't appear its getting a response back from the destination locate and the tunnel is not building but I don't see anything being blocked from coming into the firewall
Just to be sure I am looking in the right place where is the nat-t selected because when I do in to the nat policy I don't see anything related to nat -t on the PA
NAT-T is a IKE parameter, not related to your NAT policy. If the IKE packets are getting NAT'd throughout the path, you have to enable NAT-Traversal on both VPN gateways ( not in the PAN firewall). Once you will enable this, the VPN gateway will exchange a NAT-Discovery messages during IKE Phase-1 negotiation, and then negotiation shift to UDP /4500.
Ref DOC:
NAT traversal - Wikipedia, the free encyclopedia
http://www.ietf.org/rfc/rfc3947.txt
Hope this helps.
Thanks
I do not have any access or control over the remote firewall that is a 3rd party device. So where do you configure nat-t on the PA?
I found where to configure nat-t on the PA but it shouldn't matter because as discussed earlier the fortinet is only passing through the PA . The VPN is not configured on the PA but is created by the fortinet(which is a 3rd party device on the local and remote site).
For an example: (in case any VPN tunnel terminates into PAN firewall and packet is getting NAT'd while traversing)
Thanks
You have to discuss this with 3rd party.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!