About DongQu

I forgot to mention that the client is an Android Phone, the TAC told me that the "domain" based split does not support the mobile devices. I tested the settings on a laptop which was working well. Closing this case. ... View more

hello @aleksandar.astardzhiev  hello @AlexanderAstardzhiev  "The PAN FW has nothing to do with 5.5.5.x addresses, isn't this the whole purpose of the GRE tunnel? - Packets from the client will enter the router - Which will add GRE encapsulation, which boilse down to a new IP header - Now the outer IP header (that is used for routing decisions) is has different source and destination addresses - more specifically your GRE tunnel addresses, right? - When the packet reaches the PAN FW and if you don't apply any tunnel content inspection it will see only the 3.3.3.3 and 192.168.55.250." ---------------This is exactly what I thought. When 192.168.20.34 sending a packet to the 5.123.111.144, the traffic flow should be (my understanding, please correct if anything wrong) Original packet send to GRE device S:192.168.20.34 D:5.253.111.144 GRE tunnel encapsulates the original packet by adding an extra header, so  the source/destination IP in the packet changes to S: 192.168.55.250    192.168.20.34 😧 3.3.3.3                    5.153.111.144 My firewall NAT the 192.168.55.250 to 4.4.4.4 then send the packet towards to the IPsec tunnel, ipsec tunnel add extra header S: 1.1.1.1    4.4.4.4   192.168.20.34 😧 2.2.2.2   3.3.3.3    5.153.111.144 The ASA removes the IPSec header and delivers it to the other side GRE device S:  4.4.4.4   192.168.20.34 😧 3.3.3..3   5.153.111.144  The other side GRE device removes the GRE header and delivers the original packet to the server S:  192.168.20.34 😧  5.153.111.144 I thought we should be able to see the log on PA from 192.168.55.250 to 3.3.3.3 but I cannot. Why? I took a pcap on the PA, the packet I got is, but cannot see it in the log     ... View more