Port 4500 ipsec/udp traffice

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Port 4500 ipsec/udp traffice

L4 Transporter

How do I check to see it the PA is dropping port 4500 traffic?

1 accepted solution

Accepted Solutions

NO, It's not blocked by PAN. Your VPN gateway ( SonicWALL) is not accepting the IKE messages. The issue is not related to PAN.

Hope this helps.

Thanks

View solution in original post

36 REPLIES 36

L6 Presenter

Hello Infotech,

There are mulitple ways to do so.

1. Packet capture with proper source/destination IP/Port.

2. From Traffic log

3. show session all filter source <> destination <> source-port <> and destination-port <>

Let me know if you need additional information.

Regards,

Hardik Shah

I see no port 4500 traffic at all, I don't see anything being blocked to or from port 4500

Can you do packet capture on firewall to make sure, no other device is blocking traffic for port 4500 inbetween.

I did a packet capture and I see no 4500 traffic present, blocked or anything else. the source is also from a remote vendor in the internet. I am see the ike 500 traffice going out from the vpn device and nothing else

Hi Infotech,

It means PAN is not receiving traffic on port 4500.

Can you check on other end firewall if its sending any traffic on port 4500 ?

Regards,

Hardik Shah

So that means its not an issue on the PA but an issue outside in the internet or  the sender. The sender says that don't see any ike 500 traffice to respond too. I will see if I they can send some 4500 traffic

L4 Transporter

Can you also please check if you have any implicit deny rule configured at the bottom of the rule base on the PA. This at times may cause some unintended issues for traffic terminating on the device.

I have a clean up rule at the bottom but wouldn't it show up in the logs as dropped?

Hi Infotech,

Upload complete capture from PANW.  I think something in between is not allowing packets on both 500/4500.

Regards,

Hardik Shah

L7 Applicator

Hello Infotech,

Please make sure NAT-traversal is enabled on both side firewalls to accept IKE on port 4500. During IKE negotiation, 3rd message onwards, port will flip to UDP 4500.

Traditionally, IPSec does not work when traversing across a device doing NAT.  To circumvent this problem, NAT-T or NAT Traversal was developed.  NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN between two gateways devices where a NAT device exists in front of one of the devices.

Thanks.

I dont' have any control over the remote site, but if I am able to send 500 ike traffice out into the internet and am not seeing 4500 traffic traying to come in not sure how nat-t would affect it

I do not have nat-t enabled on the palo side

If NAT-T is not enabled on PAN firewall, then could you please let us know, why are you expecting traffic on port 4500..?

Thanks

I have a vendor that creates a vpn tunnel using a fortinet device behind our PA 3020. The device initiates the tunnel,the ike 500 traffic I am seeing passing throught the PA into the internet, Then I would assume a device on the vendors side exchanges SA's with the 500 traffic should say okay and builds the ipsec/udp tunnel using port 4500. I am trying to confirm that we are making in past the pa firewall into the internet and not blocking a response from the vendor

  • 1 accepted solution
  • 17147 Views
  • 36 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!