Port 4500 ipsec/udp traffice

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Port 4500 ipsec/udp traffice

L4 Transporter

How do I check to see it the PA is dropping port 4500 traffic?

36 REPLIES 36

is the VPN terminates on PAN FW...?

Thanks

I don't understand the question.

Is the VPN tunnel configured with PAN firewall or it's just a pass through device..?

Thanks

It just passes throught the PA.

Ok, then nothing has to be done on the PAN firewall apart from a general security policy etc.

You can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.

>  If there is a session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc.

Thanks

This is what I got

Session           61416

        c2s flow:
                source:      172.17.1.5 [DR-DMZ]
                dst:         199.169.208.252
                proto:       17
                sport:       500             dport:      500
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown
                pbf rule:    Fedline 12

        s2c flow:
                source:      199.169.208.252 [Outside]
                dst:         66.94.196.101
                proto:       17
                sport:       500             dport:      500
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                    : Mon Aug  4 15:10:55 2014
        timeout                       : 600 sec
        time to live                  : 594 sec
        total byte count(c2s)         : 2648352
        total byte count(s2c)         : 0
        layer7 packet count(c2s)      : 9008
        layer7 packet count(s2c)      : 0
        vsys                          : vsys1
        application                   : ike
        rule                          : Rule 6
        session to be logged at end   : True
        session in session ager       : True
        session synced from HA peer   : False
        address/port translation      : source + destination
        nat-rule                      : Fedline_DR(vsys1)
        layer7 processing             : enabled
        URL filtering enabled         : True
        URL category                  : any
        session via syn-cookies       : False
        session terminated on host    : False
        session traverses tunnel      : False
        captive portal session        : False
        ingress interface             : vlan.999
        egress interface              : ethernet1/3
        session QoS rule              : N/A (class 4)
admin@PA-3020_DR>

Check the route back to the client. Looks like it's not making it back through the firewall. Is there another path it may be taking?

total byte count(c2s)         : 2648352

total byte count(s2c)         : 0

Hello Infotech,

As per the output:

Session           61416

        c2s flow:
                source:      172.17.1.5 [DR-DMZ]
                dst:         199.169.208.252
                proto:       17
                sport:       500             dport:      500
                state:       ACTIVE          type:       FLOW
                pbf rule:    Fedline 12  >>>>>>>>>>>>>>>>>>>> traffic going through PBF rule

        s2c flow:
     

        start time                    : Mon Aug  4 15:10:55 2014
        timeout                       : 600 sec
        time to live                  : 594 sec
        total byte count(c2s)         : 2648352
        total byte count(s2c)         : 0 >>>>>>>>>>>>>>>>>> no packer received from Server-to-client flow
        layer7 packet count(c2s)      : 9008
        layer7 packet count(s2c)      : 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        vsys                          : vsys1
        application                   : ike
        rule                          : Rule 6 >>>>>>>>>>>>>>>>> security rule
        session to be logged at end   : True
        session in session ager       : True
        session synced from HA peer   : False
        address/port translation      : source + destination
        nat-rule                      : Fedline_DR(vsys1) >>>>>>>>>>>>>>>>>>>>>>>>>> traffic is getting NAT'd in PAN firewall, Hence, make sure, NAT-traversal is enabled on both side VPN gateways.
      
        ingress interface             : vlan.999  >>>>>>>>>>>>>>>>> packet incoming interface
        egress interface              : ethernet1/3 >>>>>>>>>>>>>>>>> packet outgoing interface.
        session QoS rule              : N/A (class 4)
admin@PA-3020_DR>

Hope this helps.

Thanks

Right that is the whole issue that the traffic is not coming back from the vendor. The ike 500 is trying to initiate the tunnel and it doesn't appear its getting a response back from the destination locate and the tunnel is not building but I don't see anything being blocked from coming into the firewall

Just to be sure I am looking in the right place where is the nat-t selected because when I do in to the nat policy I don't see anything related to nat -t on the PA

NAT-T is a IKE parameter, not related to your NAT policy. If the IKE packets are getting NAT'd throughout the path, you have to enable NAT-Traversal on both VPN gateways ( not in the PAN firewall). Once you will enable this, the VPN gateway will exchange a NAT-Discovery messages during IKE Phase-1 negotiation, and then negotiation shift to UDP /4500.

Ref DOC:

NAT traversal - Wikipedia, the free encyclopedia

http://www.ietf.org/rfc/rfc3947.txt

NAT-T.JPG

Hope this helps.

Thanks

I do not have any access or control over the remote firewall that is a 3rd party device. So where do you configure nat-t on the PA?

I found where to configure nat-t on the PA but it shouldn't matter because as discussed earlier the fortinet is only passing through the PA . The VPN is not configured on the PA but is created by the fortinet(which is a 3rd party device on the local and remote site).

For an example: (in case any VPN tunnel terminates into PAN firewall and packet is getting NAT'd while traversing)

NAT-T-IKE.JPG

Thanks

You have to discuss this with 3rd party.

  • 14131 Views
  • 36 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!