- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-06-2017 11:17 AM
Hi all. I am trying to setup a site to site VPN tunnel with one of our customer. I've got the dedicated layer 3 zone, tunnel interface, IKE Gateway, Virtual Router etc. configured per the Palo Alto admin guide. In the "IPSec Tunnels" section, it shows the VPN tunnel is up. However, I cannot access any of the server located at the customer's environment.
In the Traffic monitor tab, it shows the traffic is sending over to the customer's network, yet nothing is returning from them (Bytes Send = xxx; Bytes Received = 0; Packet Send = xxx, Packet Received = 0).
Am I missing something here?
Thank you.
04-11-2017 06:17 AM
Hi all. I don't have access to customer's network, thus no pcacp available from their end. It is a pain to get a hold of their staff to investigate this issue. They keep responding they've done the necessary configuration at their end, and from their prespective, this VPN configuration has been completed at their end. Yet no network traffic coming from their end.
I've gone over the troubleshooting step as outline here,
I can see the "Encap Bytes" value keep increasing, while the "Decap Bytes" stays constant. Per the explaination, that indicate network traffic is going out, but nothing returns from the target.
04-11-2017 06:59 AM
I think in this situation you and another end should go for a conference call and get all troubleshooting steps alive rather than do a finger-pointing. Without the other end, it is going to be hard to get this resolved as you can see.
04-11-2017 11:23 PM
From what you described here i would say that the issue is definitelly on the other side. If you are sending packets into tunnel, they are getting them. Now they must find out what happens with them. And i feel your pain. I've also have many occasions when i was debugging VPN on the other end as well even tho i had contract only with my customer 🙂
One (very unlikely) issue could also be SPI missmatch; exchange info about SPIs with admin on the other end and check if they match.
I guess on your side you have only 1 pair?
04-17-2017 06:23 AM
Hi all. After couple of email exchange with the customer, and conference calls. It ends up their network administartor configured the VPN tunnel, yet he didn't configure the routes for this VPN connection. That explains why the tunnel is up, but no traffic goes through. Now they've assigned another network administrator to look into, yet he is on vacation till mid May.... Nothing can be done till mid May. Thank you for all the feedback, much appreciated!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!