This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Site-2-Site IPSEC Tunnel won't come online

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Site-2-Site IPSEC Tunnel won't come online

EDSAadmin
L2 Linker

‎09-24-2014 07:15 AM

i have three offices:

office 1: US - northeast    1.1.1.1  PAN-500HA

Office 2: US - southeast   2.2.2.2 PAN-3020HA  HQ site

Office 3: Shanghai China  3.3.3.3 PAN-200

all three IPSEC tunnels were up and running.  My Office 3 moved locations and when they did that we obtained a new static IP from the executive office we moved into. We updated the firewalls with the new external interface IP, IPSEC tunnel info on the local and updated all peer sites. committed the changes. after the commit office 1 and office 3 tunnel came up no problem. but office 2 and office 3 will not come up. We have deleted the config on both office 2 and office 3  and reconfigured. we have reboot both firewalls, reboot the router in office 2, we have changed the preshared key on both sites. triple checked our routes are correct in each virtual router. Contacted both ISP to make sure they are not blocking any UDP 500, 4500 or ESP traffic. they both say all IP's ports and protocols are open.

What we are seeing in the logs is office 3 is initiating ike phase 1 traffic out, but the peer box is not seeing any traffic coming in from office 3 nor is it initiating anything out to it either.  In the ike gateway for each we have it currently set to:

Exchange mode: main

IKE Crypto Profile: set at default for troubleshooting purposes

Unchecked "Enable passive mode"

Checked "Enable NAT traversal"

I have an open ticket with support but they have been unable to figure  out the problem yet. It has been escalated but i am still waiting for a callback today to continue working on it.

Has anyone run into this and if so how did you get it working again?

Any help would be greatly appreciated.

HQ Site

Shanghai Site

0 Likes Likes
17 REPLIES 17

HULK
L7 Applicator
In response to EDSAadmin

‎09-25-2014 03:02 PM

Good to see, the case has been closed today. Smiley Happy

Thanks

0 Likes Likes

EDSAadmin
L2 Linker
In response to EDSAadmin

‎09-26-2014 06:25 AM

We found the problem. On our HQ firewall we have a clean up rule set.  When we put that in initially it caused all of our tunnels to go down since it was dropping the ike phase 1 traffic. We put a VPN tunnel policy in place, with source zone external  and all four site external IP's and destination zone with all four external IP's one for each site allowing any app, and any service. Stupid me i forgot we had to set that up and that policy had the old IP address in it. once we updated the policy with the new IP and commited the tunnel came up no problem.

Thanks for all your help. 

0 Likes Likes

panos
L6 Presenter
In response to EDSAadmin

‎09-26-2014 08:36 AM

good to hear that is solved.implicity deny should be written always carefully.

0 Likes Likes
  • 7518 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks