08-05-2014 08:52 AM
How do I check to see it the PA is dropping port 4500 traffic?
08-05-2014 12:38 PM
is the VPN terminates on PAN FW...?
Thanks
08-05-2014 12:42 PM
I don't understand the question.
08-05-2014 12:45 PM
Is the VPN tunnel configured with PAN firewall or it's just a pass through device..?
Thanks
08-05-2014 12:47 PM
It just passes throught the PA.
08-05-2014 12:50 PM
Ok, then nothing has to be done on the PAN firewall apart from a general security policy etc.
You can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.
> If there is a session exist for the same traffic, then please apply CLI command PAN> show session id XYZ >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc.
Thanks
08-05-2014 02:13 PM
This is what I got
Session 61416
c2s flow:
source: 172.17.1.5 [DR-DMZ]
dst: 199.169.208.252
proto: 17
sport: 500 dport: 500
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
pbf rule: Fedline 12
s2c flow:
source: 199.169.208.252 [Outside]
dst: 66.94.196.101
proto: 17
sport: 500 dport: 500
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Mon Aug 4 15:10:55 2014
timeout : 600 sec
time to live : 594 sec
total byte count(c2s) : 2648352
total byte count(s2c) : 0
layer7 packet count(c2s) : 9008
layer7 packet count(s2c) : 0
vsys : vsys1
application : ike
rule : Rule 6
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : Fedline_DR(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : vlan.999
egress interface : ethernet1/3
session QoS rule : N/A (class 4)
admin@PA-3020_DR>
08-05-2014 02:25 PM
Check the route back to the client. Looks like it's not making it back through the firewall. Is there another path it may be taking?
total byte count(c2s) : 2648352
total byte count(s2c) : 0
08-05-2014 02:31 PM
Hello Infotech,
As per the output:
Session 61416
c2s flow:
source: 172.17.1.5 [DR-DMZ]
dst: 199.169.208.252
proto: 17
sport: 500 dport: 500
state: ACTIVE type: FLOW
pbf rule: Fedline 12 >>>>>>>>>>>>>>>>>>>> traffic going through PBF rule
s2c flow:
start time : Mon Aug 4 15:10:55 2014
timeout : 600 sec
time to live : 594 sec
total byte count(c2s) : 2648352
total byte count(s2c) : 0 >>>>>>>>>>>>>>>>>> no packer received from Server-to-client flow
layer7 packet count(c2s) : 9008
layer7 packet count(s2c) : 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
vsys : vsys1
application : ike
rule : Rule 6 >>>>>>>>>>>>>>>>> security rule
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : Fedline_DR(vsys1) >>>>>>>>>>>>>>>>>>>>>>>>>> traffic is getting NAT'd in PAN firewall, Hence, make sure, NAT-traversal is enabled on both side VPN gateways.
ingress interface : vlan.999 >>>>>>>>>>>>>>>>> packet incoming interface
egress interface : ethernet1/3 >>>>>>>>>>>>>>>>> packet outgoing interface.
session QoS rule : N/A (class 4)
admin@PA-3020_DR>
Hope this helps.
Thanks
08-06-2014 08:00 AM
Right that is the whole issue that the traffic is not coming back from the vendor. The ike 500 is trying to initiate the tunnel and it doesn't appear its getting a response back from the destination locate and the tunnel is not building but I don't see anything being blocked from coming into the firewall
08-06-2014 08:03 AM
Just to be sure I am looking in the right place where is the nat-t selected because when I do in to the nat policy I don't see anything related to nat -t on the PA
08-06-2014 08:22 AM
NAT-T is a IKE parameter, not related to your NAT policy. If the IKE packets are getting NAT'd throughout the path, you have to enable NAT-Traversal on both VPN gateways ( not in the PAN firewall). Once you will enable this, the VPN gateway will exchange a NAT-Discovery messages during IKE Phase-1 negotiation, and then negotiation shift to UDP /4500.
Ref DOC:
NAT traversal - Wikipedia, the free encyclopedia
http://www.ietf.org/rfc/rfc3947.txt
Hope this helps.
Thanks
08-06-2014 08:28 AM
I do not have any access or control over the remote firewall that is a 3rd party device. So where do you configure nat-t on the PA?
08-06-2014 08:33 AM
I found where to configure nat-t on the PA but it shouldn't matter because as discussed earlier the fortinet is only passing through the PA . The VPN is not configured on the PA but is created by the fortinet(which is a 3rd party device on the local and remote site).
08-06-2014 08:34 AM
For an example: (in case any VPN tunnel terminates into PAN firewall and packet is getting NAT'd while traversing)
Thanks
08-06-2014 08:36 AM
You have to discuss this with 3rd party.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
