This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VPN Site to Site configuration between two PAs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN Site to Site configuration between two PAs

smshafek
L1 Bithead

‎04-29-2022 05:33 AM

Hi,

I've been trying to get clients on the end of two different Palo Altos to be able to ping each other. Everything is green but the IPsec Tunnel doesnt seem to be working. Using tracert, traffic from a client first hops to the LAN Port and then to the opposite end of the tunnel and stops there. I've already created policies that allows traffic from LAN to VPN and vice versa.

Full 'Picture'
PA 1
Client : 10.10.254.100
LAN : 10.10.254.1
Tunnel IP : 192.168.4.254

PA 2
Client : 10.10.253.100
LAN : 10.10.253.1
Tunnel IP : 172.20.3.253

On tracert from client (10.10.254.100) on PA 1's side :
10.10.254.1 -> 172.20.3.253

Any suggestions?

Thanks!

0 Likes Likes
3 REPLIES 3

TomYoung
Cyber Elite
Cyber Elite

‎04-29-2022 02:13 PM

Hi @smshafek ,

 

When you say, "Everything is green" I assume that you mean the Status > Tunnel Info and Status > IKE Info are both green under Network > IPSec Tunnels.  Good!  Here are a couple of critical places to look:

 

  1. Click on Status > Tunnel Info and verify there are PKT ENCAP and PKT DECAP counters.  If there are no encaps, then the problem is on the local NGFW.  If there are no decaps, then the problem is on the remote NGFW.
  2. On the problem NGFW, look at Monitor > Logs > Traffic and verify sessions are being allowed to the proper zone.  There could be a LOT of different reasons why this is failing.  You will have to take it from here.

Thanks,

 

Tom

 

 

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎04-29-2022 02:34 PM

Hello,

Also check to make sure you have security policies to allow ping. If you are attempting to ping interfaces on the PAN's, you'll need to enable that as well in the interface management.

Regards,

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎04-30-2022 11:10 AM

Hi @smshafek ,

- If traceroute suggest traffic reaches the remote side of the tunnel do you see traffic logs on the PA 2? More importantly does bytes received counter different than zero - this should confirm if traffic is indeed reaching the other side of the tunnel and if return traffic is hitting PA2.

- As @TomYoung  suggest, check if packet encrypted and packets decrypted counters are increasing on both sides of the tunnel.

- Is there any NAT for the traffic over the tunnel? Have you check if unintentional NAT is not being applied?

- For very long time detailed traffic log of PAN firewalls were completely enough for me to identify most network issue, but recently I had some bizarre cases and I developed new habit - use global counters with packet filter applied for the specific traffic - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS If you have control over both firewall definitely do that on both sides.

 

Having results from above should give you some direction where to look next.

0 Likes Likes
  • 1766 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks