Thanks @reaper the only reason is that address (subnet) is supposed to be a DMZ range. I just found this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsiCAC Cause The issue is the tunnel terminates on an interface in a zone different from where the ESP (Encapsulation Security Payloads) packets originate. i'm curious as to why it is design this way. and correct me if i'm wrong all IPSec tunnels have to terminate on the same zone as the one on the Internet? i'll get those global counters just to confirm the exact drops and update later.
... View more
Hi all, I have an IPSec tunnel connecting to an old SSG. Tunnel came up successfully and SSG can see the traffic and is returning correctly into the tunnel. However PAN's decrypt counter remains 0. When i did a packet capture, the returning ESP packet is dropped shown below Frame 43 and 47: The setup i have is: eth1/1 - ISP WAN in zone "outside" loopback.1 - Public IP advertised by ISP in zone "dmz" IPSec create similar to https://blog.webernetz.net/ipsec-site-to-site-vpn-palo-alto-juniper-screenos/ tunnel.1 - in zone "trust" both ends of tunnel is in "trust" IPSec statuses all showing green has policy from "outside" to "dmz" allowing any any from the two terminating IPs When i change loopback.1 to zone "outside", everything works. Any suggestion or help is very much appreciated. Thanks in advance. Model PA-820 Software Version 9.0.2-h4 Thank you, Jason
... View more