VPN passthrough

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN passthrough

L1 Bithead
Hi, we're experiencing issue with site-to-site connectivity since we installed PAN firewall in the network few days ago. There are many IPSec (ikev1) tunnels configured between endpoints on the internet and Cisco VPN concentrator (ISR 4k router) behind the PAN firewall. Only 2 specific sites can't establish IPsec connection anymore since PAN has been installed in the prodution. Network diagram before PAN was installed in the network: customer linux server with openswan - (private IP) - customer router with NAT 1:1 - ##internet## - router - (pub IP) - VPN concentrator Network diagram after PAN has been installed: customer linux server with openswan - (private IP) - customer router with NAT 1:1 - ##internet## - router - (pub IP) - PAN firewall - (pub IP) - VPN concentrator Logs on Cisco ISR: *Jan 27 20:30:31.891: ISAKMP-PAK: (1468):sending packet to my_port 500 peer_port 500 (R) MM_KEY_EXCH *Jan 27 20:30:31.891: ISAKMP: (1468):Sending an IKE IPv4 Packet. *Jan 27 20:30:31.891: ISAKMP: (1468):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jan 27 20:30:31.891: ISAKMP: (1468):Old State = IKE_R_MM3 New State = IKE_R_MM4 *Jan 27 20:30:33.440: ISAKMP: (1080):purging node 2651156776 *Jan 27 20:30:41.891: ISAKMP: (1468):retransmitting phase 1 MM_KEY_EXCH... *Jan 27 20:30:41.891: ISAKMP: (1468):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 There is access policy configured on PAN that permits "any" application, "any service" between zones/ip addresses. It seems there is some traffic blocked by PAN. I run packet capture with filters defined (public IP addresses of both endpoints) and there were some NAT-T (udp/4500) packets dropped in the "drop" packet capture file. I configured one linux server with openswan for testing purposes and assigned public IP address on the network adapter. IPsec tunnel was established without any problem. I tried to lower MTU (1300) on outside interface but it didn't solve the problem. Does anyone have any idea what could be wrong?

Cyber Elite
Cyber Elite

Have you verified why the packet was in the drop stage? you can follow global counters while you're doing packetcaptures:

> show counter global filter delta yes packet-filter yes


This will show why packets may get discarded (also, traffic logs or threat logs may help shed light on what's going on)



Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi, thanks for the hint. I found one counter with severity=drop: zonechange: flow_fwd_zonechange 2 0 drop flow forward Packets dropped: forwarded to different zone Customer is connecting from "outside" (only default route matches), DMZ, where site-to-site VPN concentrator is installed is using "connected" route. There are only static routers configured on PAN. There is no NAT configured for DMZ zone. Firewall rule permits any traffic (I tried with app-default, all tcp+udp ports...). Packet capture shows dropped packets (stage=dropped) with customers public IP address as originating IP address and with our site to site VPN concentrator's public IP address as the destination IP address. Could you please give me a hing how can I diagnose the root cause of the issue?

Hi, I found one interesting info: show session all filter from OUTSIDE source 38 ipsec-esp-udp ACTIVE FLOW[4500]/OUTSIDE/17 ([4500]) vsys1[4500]/OUTSIDE ([4500]) 4220 ike ACTIVE FLOW[500]/OUTSIDE/17 ([500]) vsys1[500]/DMZ ([500]) There are two different zones detected for same connection flow: OUTSIDE (wrong) and DMZ (correct). Zone configuration only includes interface name. Strange...

can you include a network design and what your routing table looks like?


there may be overlap in your IP subnets on your interfaces, or irregularities in your routing table

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi, here is the network diagram





that looks more straight forward than I had expected 🙂


So your firewall has 1 interface, one interface, the static routing table is ->

Then a security policy any any accept, no nat ?



Ah but wait, it's the same ISR4K providing the ipsec endpoint that also provides your WAN routing ?

could it be it is performing som einternal routing and some packets may be egressing on the opposite side of the firewall ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi, there are two different ISR routers installed.

There is not NAT configured between OUTSIDE and DMZ.

Any chance you're running < 8.0.7 code?



Hi, no, we're running 8.0.7.

  • 9 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!