cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About jason.chia

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jason.chia
‎07-18-2019
since ‎02-03-2019
L0 Member
User Activity
User Profile
User Badges
Public Statistics
Date Registered ‎02-03-2019 02:49 PM
Date Last Visited ‎07-18-2019 09:56 PM
Total Messages Posted 2

Re: IPSec / returning ESP packets dropped when terminating interface is in a different zone

by in General Topics
‎07-18-2019 06:36 PM
‎07-18-2019 06:36 PM
Thanks @reaper  the only reason is that address (subnet) is supposed to be a DMZ range.   I just found this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsiCAC  Cause The issue is the tunnel terminates on an interface in a zone different from where the ESP (Encapsulation Security Payloads) packets originate.   i'm curious as to why it is design this way. and correct me if i'm wrong all IPSec tunnels have to terminate on the same zone as the one on the Internet?   i'll get those global counters just to confirm the exact drops and update later. ... View more

IPSec / returning ESP packets dropped when terminating interface is in a different zone

by in General Topics
‎07-12-2019 03:20 AM
‎07-12-2019 03:20 AM
Hi all, I have an IPSec tunnel connecting to an old SSG. Tunnel came up successfully and SSG can see the traffic and is returning correctly into the tunnel. However PAN's decrypt counter remains 0. When i did a packet capture, the returning ESP packet is dropped shown below Frame 43 and 47: The setup i have is: eth1/1 - ISP WAN in zone "outside" loopback.1 - Public IP advertised by ISP in zone "dmz" IPSec create similar to https://blog.webernetz.net/ipsec-site-to-site-vpn-palo-alto-juniper-screenos/ tunnel.1 - in zone "trust" both ends of tunnel is in "trust" IPSec statuses all showing green has policy from "outside" to "dmz" allowing any any from the two terminating IPs   When i change loopback.1 to zone "outside", everything works. Any suggestion or help is very much appreciated. Thanks in advance.   Model PA-820 Software Version 9.0.2-h4   Thank you, Jason ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎07-18-2019 09:56 PM
Latest Tags
Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks