Site-to-Site VPN private subnets cannot ping eachother through the tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Site-to-Site VPN private subnets cannot ping eachother through the tunnel

L1 Bithead

I am new to learning Palo Alto Firewalls.  I have a couple of PA-8.0.0 virtual machine instances setup on my desktop with internet access through my home network on a Windows 10 host machine, for learning purposes.  I configured site-to-site vpn and can get the tunnel up, both phase1 and phase2.  The firewalls can ping eachother’s external IP addresses but their respective internal private hosts cannot ping eachother through the tunnel.  The configuration seems fine and nothing in the system logs indicate any drops or disconnection.  Am I missing a security policy or what else needs doing?  I have security policies configured on each firewall to allow traffic out to the external untrust zone.  Any assistance will be appreciated.   

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

@Palobeacon,

Did you setup static routes so that the firewall knows how to route the traffic through the IPSec tunnel? Do you have a security rulebase entry allowing traffic to actually process across the IPSec tunnel zone that you added? 

 

If you haven't already, override your interzone-default security entry to log denied traffic so you can see if it's a security entry that is missing or not. 

View solution in original post

Cyber Elite
Cyber Elite

Hello,

Also make sure your policies are set log log at session end. Make sure there are policies to allow the traffic to traverse the zones if you configured them.

Regards,

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

@Palobeacon,

Did you setup static routes so that the firewall knows how to route the traffic through the IPSec tunnel? Do you have a security rulebase entry allowing traffic to actually process across the IPSec tunnel zone that you added? 

 

If you haven't already, override your interzone-default security entry to log denied traffic so you can see if it's a security entry that is missing or not. 

Cyber Elite
Cyber Elite

Hello,

Also make sure your policies are set log log at session end. Make sure there are policies to allow the traffic to traverse the zones if you configured them.

Regards,

Thanks for your assistance. There's been some progress. I do have static routes setup for both firewalls. I also have security rules setup. I checked the settings based on your suggestions and adjusted the rule for outbound traffic from site 2. I also configured proxy-id for both firewalls just in case (it does say it is not needed if they are both PA firewalls).

So now site 2 internal hosts can ping through the tunnel to site 1 internal hosts but for some reason, site 1 hosts cannot ping to site 2 host. The configurations are the same.

I think site 2 firewall may be missing a security policy. The internal hosts are able to ping site 1 internal hosts. However, I have now noticed that site 2 internal hosts cannot reach the webserver in the DMZ zone of site 1 even though it is accessible by hosts from other locations. I do have a security policy on the site 1 firewall that allows access to the server from the outside.

Thanks for your assistance.

L1 Bithead

Thanks all, for your assistance.  I adjusted the security policy to allow traffic to pass through the tunnel.  Both sites can communicate through the tunnel now.  Everything is working fine.

 

Thank you all

  • 2 accepted solutions
  • 6999 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!