I configure a VPN tunnel between two firewalls Palo alto Networks . The tunnel status is up but the other network is unreacheable.
I configure the tunnel on the trust zone . I restart the firewalls without result . The first PA-500 with PANOS 7.1.0 and the second with PANOS 8.0.3
Should I do an upgrade to the OS? Or there is any suggestion to do ?
I will appreciate your helps.
Did you configure routes to the tunnel interface ? Any information in the logs ?
Eitherway, both PAN-OS versions are rather old and I would recommend upgrading.
7.1.0 was released in March 2016.
8.0.3 was released in June 2017.
A good resource with a lot of info :
Thank you for your reply . Yes I configure the necessary route . I follow all the steps listed in this article
In the logs, I found this information :
IKEv2 child SA negotiation is started as initiator, rekey. Initiated SA: x.x.x.x-y.y.y.y message id:0x00000000.
IKEv2 child SA negotiation is started as initiator, rekey. Initiated SA
IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x982EEEEA
Have you any suggestion to do . Thanks
I'm leaning towards some negotiation issues... doublecheck if settings are the same on both ends.
Also try increasing the debug level for more information :
You mentioned you applied your tunnel interface to the "Trust" zone. Is there a possibility that your VPN traffic is being NATted?
What happens if you make a new zone for the tunnel interface?
Thank you for your response . I try to configure the VPN in another Zone called VPNZone without result.
I found this logs in the monitor tab:
IKE protocol IPSec SA delete message sent to peer.
IKE daemon configuration load phase-2 succeeded
IKE daemon configuration load phase-1 succeeded
IKE daemon configuration load phase-1 aborted
IKE daemon configuration load phase-2 aborted
Installed SA: 220.127.116.11-18.104.22.168 SPI:0xBC2E363C/0xCAE56096 lifetime 3600 Sec lifesize unlimited
I will appreciate all your help
After configuring the new zone, did you create a security policy rule to allow traffic? e,g,
Yes, I configured this security rule without result .
I allow trafic:
Should I modify the destination to any?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!