I have a PA-500 that has Dual ISPs for Internet access. I am using a PBF rule to have the traffic go out via the Primary Internet Connection. The default route out to the Internet in the routing table is via the backup internet connection.
I have two exisitng IPSec VPN tunnels. There is a static route via the primary internet gateway to each one of the peers of the IPSec tunnel.
Now, I need to add another IPSec VPN peer. However, this peer does not have a static IP. The VPN is built using its dns name. IKE negotiation mode is aggressive.
1. The PA-500 is set to only respond to IKE messages and not initiate the VPN tunnel.
2. The peer initiates the tunnel.
3. PA-500 responds with ISAKMP negotiation messages as responder, but then times out.
4. I do not have access to the other peer.
I assumed this is because of the PBF policy. Since, there is no static route to the peer of this new tunnel (a static route cannot be set because the peer is dynamic), I assumed the ISAKMP reponses were going out via the secondary Internet gateway.
To test this, I did packet captures on the PA-500. However, they show that the PA-500 is responding with a source IP of its primary intterface internet interface. I could not make sense out of it.
To test if PBF was the issue, I disabled the PBF policy, add a static route with a better metric via the primary gateway and the Tunnel comes up instantly and I am able to communicate with hosts on the far side of the VPN tunnel.
Can someone please shed more information in regards to this behavior? Any help is appreciated.
Solved! Go to Solution.