VPN cannot work between two PA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN cannot work between two PA

L3 Networker

Hi VPN is configured at two PA based on the below link and the two PA can ping each other, but the vpn cannot work. I tested it with below commands. Anyone can help to fix it? Thank you

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK

 

 

admin@PA-VM> test vpn ipsec-sa

Start time: Aug.07 07:48:19
Initiate 2 IPSec SA.

admin@PA-VM>
admin@PA-VM> show vpn ipsec-sa

There is no IPSec SA found.

admin@PA-VM>
admin@PA-VM> show vpn ike-sa

There is no IKEv1 phase-1 SA found.

There is no IKEv1 phase-2 SA found.


IKEv2 SAs
Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST
---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- --
2 10.2.0.1 IKE-Gateway123 Init 16 PSK/ / / 5 2 INIT sent

IKEv2 IPSec Child SAs
Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST
------------ ---- ------ -- ------ ---- ------- -------- ----- --
IKE-Gateway123 2 IPSec-Tunnel123 8 16 Init 00000000 00000000 00000000 GetSPI done
00000000 00000000 00000000 GetSPI done

Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.

 

1 accepted solution

Accepted Solutions

L4 Transporter

The routing is pointing to the tunnel interface, that should be fine.

Can you provide the output for the below commands from both the firewalls (remember to remove confidential details such as IPs)
> show vpn ike-sa detail gateway <gateway-name>

> show vpn ipsec-sa tunnel <tunnel-name>

> show vpn flow tunnel-id <tunnel-id-number>

 

Make sure the firewalls are allowing the user traffic.

 

Anoopkumar
Network Security Engineer

View solution in original post

4 REPLIES 4

L4 Transporter

Hello @kevinospf 

 

 

You can find more details about what is causing the failure in the system logs and the ikemgr logs (less mp-log ikemgr.log).

The following KB might be helpful:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

Anoopkumar
Network Security Engineer

L3 Networker

Thanks for your reply! 

IPSect tunnel is up, but users behind PA cannot ping user in other side. I got the below result after entering command "show routing route"

The nexthop is "0.0.0.0". I checked virtual router configuration. I did not find something wrong. Is this security issue or routing issue?

 

kevinospf_0-1691434685393.png

 

 

 

L4 Transporter

The routing is pointing to the tunnel interface, that should be fine.

Can you provide the output for the below commands from both the firewalls (remember to remove confidential details such as IPs)
> show vpn ike-sa detail gateway <gateway-name>

> show vpn ipsec-sa tunnel <tunnel-name>

> show vpn flow tunnel-id <tunnel-id-number>

 

Make sure the firewalls are allowing the user traffic.

 

Anoopkumar
Network Security Engineer

L3 Networker

the issue is resolved due to your question. Thanks for your questions

  • 1 accepted solution
  • 1255 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!