Traffic between tunnels - need config help

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Traffic between tunnels - need config help

I have two IPSec tunnels configured.  Traffic is flowing between a local interface and each of these two tunnels, but I can't seem to get traffic flowing between the two tunnels. 

 

I have two sites Site1 and Site2, each with a PA and one external interface.  I have a IPSec tunnel between them via the external interface so clients at Site1 can reach clients at Site2 without issue.  I also have a IPSec GlobalProtect Gateway configured on the PA at Site1 also via the external interface.  GP clients can reach clients at Site1 without issue.  I'm trying to get GP clients able reach clients at Site2.

 

I have static routes setup, and To/From policies that allows traffic between the GP and Site2 zones on both PAs.  The traffic logs are showing "allow", but sessions are "aging-out".  I've tried configuring adding the GP network to the site-to-site tunnel's ProxyIDs.  I've also tried setting up a "No-NAT" from the GP zone to the Stie2 zone on the Site1 PA.

 

I'm thinking this must have something to do with NAT, but I'm not sure what the answer is.  Help is much appreciated.

 

 


Accepted Solutions
Highlighted
Cyber Elite

Hello there.

 

Seems to be a simple (and yet complex setup) so lets agree on a few things.

Let's put together some generic site IPs to make things easier.

 

GP address are 10.0.0.0

Site 1 is 172.16.0.0/12

Site 2 is 192.168.0.0/16

 

First, I believe the step/configuration that you are missing is going to the the routing table.

Your routing table (if properly configured) knows that (from Site 1 perspective) that to get to Site 2, to use the tunnel interface.

This gets traffic from Site 1 to Site 2.

But... GP traffic (from site 1) knows to use the routing table to get across the tunnel interface to get to site 2.

 

So.. what does Site 2 know about getting BACK to GP?

It's routing table does NOT know about GP (across the VPN).

It would only know about Site 1 subnet and that is NOT the GP subnet.

 

So... you have 2 choices.

SNAT the traffic from GP to be a Site1 subnet (so 10.x.x.x looks to be 172.16.0.0/12 traffic)

 

or

 

You can add a 2nd route on site 2 virtual router, telling it that to get to 10.0.0.0 AND to 172.16.0.0/12 to use the tunnel interface and send it back to site 1.

 

Because you are going PA fw to PA FW, you do not need any proxy ids.

They should be removed. 

 

I do this all the time in my environments.

 

If you want to a remote desktop screen share with zoom or similar, let me know.

Should be 30 min or less of tshooting to resolve this issue.

 

Let me know if this helps.

Help the community: Like helpful comments and mark solutions

View solution in original post


All Replies
Highlighted
Cyber Elite

Hello there.

 

Seems to be a simple (and yet complex setup) so lets agree on a few things.

Let's put together some generic site IPs to make things easier.

 

GP address are 10.0.0.0

Site 1 is 172.16.0.0/12

Site 2 is 192.168.0.0/16

 

First, I believe the step/configuration that you are missing is going to the the routing table.

Your routing table (if properly configured) knows that (from Site 1 perspective) that to get to Site 2, to use the tunnel interface.

This gets traffic from Site 1 to Site 2.

But... GP traffic (from site 1) knows to use the routing table to get across the tunnel interface to get to site 2.

 

So.. what does Site 2 know about getting BACK to GP?

It's routing table does NOT know about GP (across the VPN).

It would only know about Site 1 subnet and that is NOT the GP subnet.

 

So... you have 2 choices.

SNAT the traffic from GP to be a Site1 subnet (so 10.x.x.x looks to be 172.16.0.0/12 traffic)

 

or

 

You can add a 2nd route on site 2 virtual router, telling it that to get to 10.0.0.0 AND to 172.16.0.0/12 to use the tunnel interface and send it back to site 1.

 

Because you are going PA fw to PA FW, you do not need any proxy ids.

They should be removed. 

 

I do this all the time in my environments.

 

If you want to a remote desktop screen share with zoom or similar, let me know.

Should be 30 min or less of tshooting to resolve this issue.

 

Let me know if this helps.

Help the community: Like helpful comments and mark solutions

View solution in original post

Highlighted
L1 Bithead

Thank you, Steve!  I was sure I had the route back to the GP network set on the Site2 PA, but lo-and-behold it wasn't there, and that solved it.

Highlighted
L1 Bithead

And yet somehow removing the Proxy IDs from the tunnel killed it again.  Any ideas why those are necessary even though it's PA to PA?

Highlighted
Cyber Elite

Proxy IDs are used for Policy based (Cisco, CP, Juniper) to a route-based (PANW) firewalls.

 

Definitely NOT needed, after installing multiple PANW firewalls, and 9 years as PANW certified  training instructor.

 

Now, it is conceivable that your tunnels should be cleared and established to flush out any miscellanous SPI/SPD info.

 

Let me know!

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!