03-18-2026 10:00 AM
I have configured a site-to-site VPN between my Cisco ASA Firepower 2140 firewall and a partner using a Palo Alto firewall. The VPN tunnel is up, and the partner’s server defined in Phase 2 is able to reach my server successfully.
However, my server is unable to reach the partner’s server.
Could you please assist in identifying the issue and provide a solution so that my server can successfully communicate with the partner’s server?
03-18-2026 03:07 PM
Does your partner see traffic from your server making it across the tunnel at all? Since the tunnel is already up and the partner can reach your server, I’d next verify whether your server-to-partner traffic is matching the VPN selectors/Phase 2 and being allowed via security policy/routing on partner side.
03-18-2026 04:29 PM
Hi @aristetoe ,
@JayGolf mentions the best starting place. Check if packets are encapsulated and decapsulation on the Palo Alto via Network > IPSec Tunnels > Tunnel Info (for the specific tunnel) and use the Refresh button to verify the PKT ENCAP and DECAP counters are incrementing. On the ASA, you would issue the command "show crypto ipsec sa peer <pa.lo.ip.add> | i caps:" to see the encaps and decaps. Use the up arrow to ensure they are incrementing. If you see a zero, then you know something is broken. Encaps 0 = problem on my side. Decaps 0 = problem on their side. If the packets are incrementing, check the logs on both sides to make sure the traffic is not blocked by policy.
Thanks,
Tom
03-19-2026 07:00 AM - last edited on 03-19-2026 07:31 AM by kiwi
@TomYoung, please below is the output of the command :
BKYITcore1FWEXT1FPR2140# show crypto ipsec sa peer A.B.C.D | in caps
#pkts encaps: 5718, #pkts encrypt: 5717, #pkts digest: 5717
#pkts decaps: 14923, #pkts decrypt: 14923, #pkts verify: 14923
#PMTUs sent: 1, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
BKYITcore1FWEXT1FPR2140#
03-19-2026 08:07 AM
Hi @aristetoe ,
Since the counters show both encaps and decaps, and your partner server IP can reach your server IP, this suggests the tunnel itself is up and passing traffic. That makes me think the issue is more likely related to the exact flow being tested.
At this point, I would review whether your local server IP and the partner server IP are both included in the crypto ACL referenced by the crypto map for the partner’s Palo Alto peer.
If your side looks correct, you can then ask the partner to verify that the Proxy IDs configured on their Palo Alto IPSec tunnel match the same local and remote server IPs or subnets, depending on how you have it defined (/32 vs CIDR).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
