08-07-2023 07:53 AM
Hi VPN is configured at two PA based on the below link and the two PA can ping each other, but the vpn cannot work. I tested it with below commands. Anyone can help to fix it? Thank you
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
admin@PA-VM> test vpn ipsec-sa
Start time: Aug.07 07:48:19
Initiate 2 IPSec SA.
admin@PA-VM>
admin@PA-VM> show vpn ipsec-sa
There is no IPSec SA found.
admin@PA-VM>
admin@PA-VM> show vpn ike-sa
There is no IKEv1 phase-1 SA found.
There is no IKEv1 phase-2 SA found.
IKEv2 SAs
Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST
---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- --
2 10.2.0.1 IKE-Gateway123 Init 16 PSK/ / / 5 2 INIT sent
IKEv2 IPSec Child SAs
Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST
------------ ---- ------ -- ------ ---- ------- -------- ----- --
IKE-Gateway123 2 IPSec-Tunnel123 8 16 Init 00000000 00000000 00000000 GetSPI done
00000000 00000000 00000000 GetSPI done
Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.
08-07-2023 08:58 PM
The routing is pointing to the tunnel interface, that should be fine.
Can you provide the output for the below commands from both the firewalls (remember to remove confidential details such as IPs)
> show vpn ike-sa detail gateway <gateway-name>
> show vpn ipsec-sa tunnel <tunnel-name>
> show vpn flow tunnel-id <tunnel-id-number>
Make sure the firewalls are allowing the user traffic.
08-07-2023 08:26 AM
Hello @kevinospf
You can find more details about what is causing the failure in the system logs and the ikemgr logs (less mp-log ikemgr.log).
The following KB might be helpful:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
08-07-2023 10:32 AM - edited 08-07-2023 12:00 PM
Thanks for your reply!
IPSect tunnel is up, but users behind PA cannot ping user in other side. I got the below result after entering command "show routing route"
The nexthop is "0.0.0.0". I checked virtual router configuration. I did not find something wrong. Is this security issue or routing issue?
08-07-2023 08:58 PM
The routing is pointing to the tunnel interface, that should be fine.
Can you provide the output for the below commands from both the firewalls (remember to remove confidential details such as IPs)
> show vpn ike-sa detail gateway <gateway-name>
> show vpn ipsec-sa tunnel <tunnel-name>
> show vpn flow tunnel-id <tunnel-id-number>
Make sure the firewalls are allowing the user traffic.
08-08-2023 07:14 AM
the issue is resolved due to your question. Thanks for your questions
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
