VPN Site to Site configuration between two PAs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN Site to Site configuration between two PAs

L1 Bithead

Hi,

I've been trying to get clients on the end of two different Palo Altos to be able to ping each other. Everything is green but the IPsec Tunnel doesnt seem to be working. Using tracert, traffic from a client first hops to the LAN Port and then to the opposite end of the tunnel and stops there. I've already created policies that allows traffic from LAN to VPN and vice versa.

Full 'Picture'
PA 1
Client : 10.10.254.100
LAN : 10.10.254.1
Tunnel IP : 192.168.4.254

PA 2
Client : 10.10.253.100
LAN : 10.10.253.1
Tunnel IP : 172.20.3.253

On tracert from client (10.10.254.100) on PA 1's side :
10.10.254.1 -> 172.20.3.253

Any suggestions?

Thanks!

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @smshafek ,

 

When you say, "Everything is green" I assume that you mean the Status > Tunnel Info and Status > IKE Info are both green under Network > IPSec Tunnels.  Good!  Here are a couple of critical places to look:

 

  1. Click on Status > Tunnel Info and verify there are PKT ENCAP and PKT DECAP counters.  If there are no encaps, then the problem is on the local NGFW.  If there are no decaps, then the problem is on the remote NGFW.
  2. On the problem NGFW, look at Monitor > Logs > Traffic and verify sessions are being allowed to the proper zone.  There could be a LOT of different reasons why this is failing.  You will have to take it from here.

Thanks,

 

Tom

 

 

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hello,

Also check to make sure you have security policies to allow ping. If you are attempting to ping interfaces on the PAN's, you'll need to enable that as well in the interface management.

Regards,

Hi @smshafek ,

- If traceroute suggest traffic reaches the remote side of the tunnel do you see traffic logs on the PA 2? More importantly does bytes received counter different than zero - this should confirm if traffic is indeed reaching the other side of the tunnel and if return traffic is hitting PA2.

- As @TomYoung  suggest, check if packet encrypted and packets decrypted counters are increasing on both sides of the tunnel.

- Is there any NAT for the traffic over the tunnel? Have you check if unintentional NAT is not being applied?

- For very long time detailed traffic log of PAN firewalls were completely enough for me to identify most network issue, but recently I had some bizarre cases and I developed new habit - use global counters with packet filter applied for the specific traffic - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS If you have control over both firewall definitely do that on both sides.

 

Having results from above should give you some direction where to look next.

  • 2096 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!