Site to Site VPN Tunnel is up, but no traffic pass through

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site VPN Tunnel is up, but no traffic pass through

L2 Linker

Hi all.  I am trying to setup a site to site VPN tunnel with one of our customer.  I've got the dedicated layer 3 zone, tunnel interface, IKE Gateway, Virtual Router etc. configured per the Palo Alto admin guide.  In the "IPSec Tunnels" section, it shows the VPN tunnel is up.  However, I cannot access any of the server located at the customer's environment. 

In the Traffic monitor tab, it shows the traffic is sending over to the customer's network, yet nothing is returning from them (Bytes Send = xxx; Bytes Received = 0; Packet Send = xxx, Packet Received = 0). 

Am I missing something here?

Thank you. 

 

18 REPLIES 18

Hi all.  I don't have access to customer's network, thus no pcacp available from their end.  It is a pain to get a hold of their staff to investigate this issue.  They keep responding they've done the necessary configuration at their end, and from their prespective, this VPN configuration has been completed at their end.  Yet no network traffic coming from their end. 

I've gone over the troubleshooting step as outline here,

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-...

I can see the "Encap Bytes" value keep increasing, while the "Decap Bytes" stays constant.  Per the explaination, that indicate network traffic is going out, but nothing returns from the target. 

I think in this situation you and another end should go for a conference call and get all troubleshooting steps alive rather than do a finger-pointing. Without the other end, it is going to be hard to get this resolved as you can see.

From what you described here i would say that the issue is definitelly on the other side. If you are sending packets into tunnel, they are getting them. Now they must find out what happens with them. And i feel your pain. I've also have many occasions when i was debugging VPN on the other end as well even tho i had contract only with my customer 🙂

 

One (very unlikely) issue could also be SPI missmatch; exchange info about SPIs with admin on the other end and check if they match. 

I guess on your side you have only 1 pair?

Hi all.  After couple of email exchange with the customer, and conference calls.  It ends up their network administartor configured the VPN tunnel, yet he didn't configure the routes for this VPN connection.  That explains why the tunnel is up, but no traffic goes through.  Now they've assigned another network administrator to look into, yet he is on vacation till mid May....  Nothing can be done till mid May.  Thank you for all the feedback, much appreciated!   

  • 36695 Views
  • 18 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!