I have been having difficulties trying to configure an IPSec tunnel between a PA500 and Cisco ASA. I can get the tunnel up as it show's as green under the IPSec section however no traffic seems to flow through the tunnel and there is no connectivity. I am essentially using the IPSec VPN to allow a GRE tunnel from a partner companies router on the remote site to a router on the internal network side of the PA500. The basic network setup is as follows;
3x physical interfaces, one in outside zone, one in DMZ zone and one internal
1x loopback interface which I have assigned a public IP address and is used as the VPN endpoint. This was placed in the outside zone
I have created an IKE and IPSec crypto policy which matches the requirements of the peer ASA and I have also created a IKE Gateway which uses the loopback interface, this uses PSK for authentication. There is also the IPSec tunnel configuration which uses the local IP address of the GRE router as te local proxy address and the public IP address of the partner ASA as the remote proxy address. The protocol uses "any" (on the actual router itself the GRE tunnel interface has a source of which matches this local proxy address and a destination that matches the public IP address of the ASA). I also created a static route for the public IP address of the remote ASA. A security policy was then created to allow ike and ipsec-esp from the loopback VPN interface to the public IP of the ASA, I also created a reverse rule; these were called Outbound VPN and Inbound VPN.
The tunnel does not come up straight away however if I run the following commands it does establish.
test vpn ipsec-sa tunnel VPN_TUNNELx
Then when I go back into the IPSec tunnel under Network it show's green, so I am assuming that the IKE and IPsec polcies match and also the routing and proxy IDs...
However when I try the following command;
show vpn flow name VPN_TUNNELx
It doesnt show any packets being sent or received.
I ran a continous ping from the internal router to the other GRE tunnel endpoint on the other side of the ASA to generate some traffic, then looked at the Traffic under the Monitor tab to see if anything was being detected and could not see anything other than the IKE traffic for the VPN tunnel...
Im at a bit of a loss as to what to look at next, I'm guessing I also need to create a rule to allow the GRE traffic from the internal zone to the outside zone and also reverse perhaps? I was hoping to get some guidance on what area's to focus troubleshooting on as I'm very new to Palo Alto!
Many thanks in advance!
After doing the ping run this command.
Show session all filter source [test PC IP addr]
This should return several sessions with a session ID#
Show session id xxxxx
Now look at the ingress and egress interfaces. Packets should ingress from the corresponding ethernet and they should egress out interface tunnel.x. Also look at the packets sent and packets received. You will probably see one way traffic. 1 sent 0 received. Also see if NAT is being applied. This is usually undesirable and could be one reason the traffic is failing.
Then stop the ping and run the test again from the other direction. Use the same commands. Ingress should be tunnel.x and egress should be the correct Ethernet.
Assuming you have these zones
WAN, LAN, VPN
You may want to add the following rules to see if any packets are being discarded silently.
Src Zone WAN, Dst Zone WAN, Any Src address, Any Dst address, Any application, allow
Src Zone LAN, Dst Zone LAN, Any Src address, Any Dst address, Any application, allow
Src Zone VPN, Dst Zone VPN, Any Src address, Any Dst address, Any application, allow
Src Zone ANY, Dst Zone ANY, Any Src address, Any Dst address, Any application, deny
The "any, any, deny" rule will break VPN (IPSEC, SSL) and routing protocols without the corresponding rules to allow traffic that sourced from Zone X to terminate on Zone X.
You didn't mention about routing and I had a similar problem, until I noticed that I didn't route the branch office's network in the Virtual router's static routes -section to the appropriate tunnel interface. The problem was that tunnel went up bu no traffic was seen. Once I entered the missing static route of the remote proxy network address, it worked as it supposed to be.
Thanks for your response. I took a look at what sessions were open on the fw and even when I run a continual ping I dont see anything. I do see the following though;
23914 ipsec-esp ACTIVE TUNN 220.127.116.11/Internal/50 (18.104.22.168)
vsys1 22.214.171.124/Outside (126.96.36.199)
25433 ike ACTIVE FLOW 188.8.131.52/Outside/17 (184.108.40.206)
vsys1 220.127.116.11/Outside (18.104.22.168)
Which would appear to be the IKE and IPSec sessions, however when I look at the stat's for those particular sessions there is 0 bytes sent/received on the IPSec session and very few packets sent on the IKE session. For the IKE session it lists the rule I created allowing traffic, however for the IPSec it doesn't even though the same rule that allows the IKE traffic allows the ipsec-esp as well...
I will look at the access rules to see that they are allowing the required protocols through.
The routing is an interesting one as this is a GRE tunnel. There is a route to the destination endpoint of the GRE tunnel on the fw (which is a /30 network, one IP is on the remote endpoint and one is on the Cisco router that has the GRE tunnel interface) so my "destination network" is only really a single IP address as far as I can tell?
I've been doing some additional troubleshooting on this issue and have found something that I think might be the cause of the problem but it would be useful if I could get some second thoughts! Basically the remote IKE gateways's IP address is the same as the IP address for the GRE tunnel endpoint making me thing the GRE tunnel terminates on the peer's ASA. My configuration had a static route for this IP address going over my internet connection and this works as the tunnel is established however no traffic goes over the tunnel. I then discovered I needed to put a route for the remote peer network to use the tunnel interface. I'm guessing this is the problem because the PA will have two routes for the same public IP address, one using the internet and one using the VPN tunnel interface?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!