We are trying to do the same thing with a PA-4020. I have the tunnels up i have BGP established on both peers. I am receiving the prefix for the subnet that i created when establishing the VPC. I checked the box to allow the redistribution of the default route. I have static routes in my core network to get to the PA-4020 for this subnet. I can trace all the way to the PA-4020 and the CLI confirms that it is allowing my ICMPs to go out the tunnel. But no pingage. Oh yeah and i also configured the security groups and ACLS on the VPC AWS console to allow ICMP in both directions. And the route table on the AWS console shows the VPC subnet as local and the 0.0.0.0/0 route as coming from my customer gateway ID. Did you have to create any policies on the PA for traffic going over the tunnel? This seems like it should be so easy - not sure where i went wrong.
... View more