Port 4500 ipsec/udp traffice

Reply
Highlighted
L4 Transporter

This is what I got

Session           61416

        c2s flow:
                source:      172.17.1.5 [DR-DMZ]
                dst:         199.169.208.252
                proto:       17
                sport:       500             dport:      500
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown
                pbf rule:    Fedline 12

        s2c flow:
                source:      199.169.208.252 [Outside]
                dst:         66.94.196.101
                proto:       17
                sport:       500             dport:      500
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                    : Mon Aug  4 15:10:55 2014
        timeout                       : 600 sec
        time to live                  : 594 sec
        total byte count(c2s)         : 2648352
        total byte count(s2c)         : 0
        layer7 packet count(c2s)      : 9008
        layer7 packet count(s2c)      : 0
        vsys                          : vsys1
        application                   : ike
        rule                          : Rule 6
        session to be logged at end   : True
        session in session ager       : True
        session synced from HA peer   : False
        address/port translation      : source + destination
        nat-rule                      : Fedline_DR(vsys1)
        layer7 processing             : enabled
        URL filtering enabled         : True
        URL category                  : any
        session via syn-cookies       : False
        session terminated on host    : False
        session traverses tunnel      : False
        captive portal session        : False
        ingress interface             : vlan.999
        egress interface              : ethernet1/3
        session QoS rule              : N/A (class 4)
admin@PA-3020_DR>

Highlighted
L4 Transporter

Check the route back to the client. Looks like it's not making it back through the firewall. Is there another path it may be taking?

total byte count(c2s)         : 2648352

total byte count(s2c)         : 0

Highlighted
L7 Applicator

Hello Infotech,

As per the output:

Session           61416

        c2s flow:
                source:      172.17.1.5 [DR-DMZ]
                dst:         199.169.208.252
                proto:       17
                sport:       500             dport:      500
                state:       ACTIVE          type:       FLOW
                pbf rule:    Fedline 12  >>>>>>>>>>>>>>>>>>>> traffic going through PBF rule

        s2c flow:
     

        start time                    : Mon Aug  4 15:10:55 2014
        timeout                       : 600 sec
        time to live                  : 594 sec
        total byte count(c2s)         : 2648352
        total byte count(s2c)         : 0 >>>>>>>>>>>>>>>>>> no packer received from Server-to-client flow
        layer7 packet count(c2s)      : 9008
        layer7 packet count(s2c)      : 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        vsys                          : vsys1
        application                   : ike
        rule                          : Rule 6 >>>>>>>>>>>>>>>>> security rule
        session to be logged at end   : True
        session in session ager       : True
        session synced from HA peer   : False
        address/port translation      : source + destination
        nat-rule                      : Fedline_DR(vsys1) >>>>>>>>>>>>>>>>>>>>>>>>>> traffic is getting NAT'd in PAN firewall, Hence, make sure, NAT-traversal is enabled on both side VPN gateways.
      
        ingress interface             : vlan.999  >>>>>>>>>>>>>>>>> packet incoming interface
        egress interface              : ethernet1/3 >>>>>>>>>>>>>>>>> packet outgoing interface.
        session QoS rule              : N/A (class 4)
admin@PA-3020_DR>

Hope this helps.

Thanks

Highlighted
L4 Transporter

Right that is the whole issue that the traffic is not coming back from the vendor. The ike 500 is trying to initiate the tunnel and it doesn't appear its getting a response back from the destination locate and the tunnel is not building but I don't see anything being blocked from coming into the firewall

Highlighted
L4 Transporter

Just to be sure I am looking in the right place where is the nat-t selected because when I do in to the nat policy I don't see anything related to nat -t on the PA

Highlighted
L7 Applicator

NAT-T is a IKE parameter, not related to your NAT policy. If the IKE packets are getting NAT'd throughout the path, you have to enable NAT-Traversal on both VPN gateways ( not in the PAN firewall). Once you will enable this, the VPN gateway will exchange a NAT-Discovery messages during IKE Phase-1 negotiation, and then negotiation shift to UDP /4500.

Ref DOC:

NAT traversal - Wikipedia, the free encyclopedia

http://www.ietf.org/rfc/rfc3947.txt

NAT-T.JPG

Hope this helps.

Thanks

Highlighted
L4 Transporter

I do not have any access or control over the remote firewall that is a 3rd party device. So where do you configure nat-t on the PA?

Highlighted
L4 Transporter

I found where to configure nat-t on the PA but it shouldn't matter because as discussed earlier the fortinet is only passing through the PA . The VPN is not configured on the PA but is created by the fortinet(which is a 3rd party device on the local and remote site).

Highlighted
L7 Applicator

For an example: (in case any VPN tunnel terminates into PAN firewall and packet is getting NAT'd while traversing)

NAT-T-IKE.JPG

Thanks

Highlighted
L7 Applicator

You have to discuss this with 3rd party.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!