02-01-2026 10:00 PM
We have experiencing difficulties having more than one domain encryption in IPsec tunnel, specifically when both are in the same subnet. Only one domain encryption remains active in the IPsec phase2. There are few times you can bounce IPsec gateway and restore connection to affected domain encryption, but after some time again connection lost to the node. Please assist.
#PA1420
02-02-2026 06:09 AM
Palo can't care less about ProxyID's / encryption domains.
They are there only to make peer side happy when peer supports policy based VPN.
Palo uses routing table to decide where traffic should go to.
If you have 2 Palos, then you don't need to use ProxyID at all and then both sides will send 0.0.0.0/0 over to each other behind the scenes.
02-03-2026 02:56 AM
I have PA1420 on my side but remote Peer has Cisco NGFW using Policy based VPN. how will these two behave on handling multiple domain encryptions?
02-03-2026 05:31 AM
Ok in this case you do need ProxyIDs.
You mentioned they are overlapping.
Can you bring few examples how they overlap?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
