We are seeing an issue where we have a multiple GRE tunnels configured for ZONE: Zscaler - When we enable monitoring of GRE tunnels with health probe its send a packet with GRE tunnel Interface Private IP address as a source and Destination as a Peer Tunnel Private IP. We are noticing FW few times a days start dropping a packets because it unable to tie destination interface for return packet. We can see this behavior with packet capture with drop filter : Ex : Tunnel 11 is configured in Zscaler zone with IP address 172.19.220.201/30 --> Peer IP 172.19.220.202 - Intrazone Traffic. When packet return from destination it unable to bind dest interface as a Tunnel 11 - So FW put packet in internet zone and drop the packet due to interzone policy.
Routing table snap shots :
@GRE-Tunnel, #paloalto @routing
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!