I will try to draw this out the best I can and then ask my question. Remote Site (zone is trust, vrouter2, tunnel.1) <<>> Core network (zone is trust, Interface 1/10, vrouter2, layer3) Rule for this is any, any in both directions. The above is how all remote traffic flows. (all traffic hits the core) Core Network <<>> interface 1/9 (zone is trust, Vrouter1) <<>> Out to the web (zone is untrust, Vrouter1) What should happen: Remote user surfs the web, Traffic comes down the ipsec tunnel assigned a session ID by PA and logged. And is passed on to the core. and then passed back up to the firewall on interface1/9 where it would match a rule, gets logged, and be passed out to the web. Here is whats happening: Remote user surfs the web, Traffic comes down the ipsec tunnel assigned a session ID by PA and logged. And is passed on to the core. and then passed back up to the firewall on interface1/9 .... Nothing Happens. We cannot see a log or a deny at all. remote users cannot ping the 1/9 interface. My Originall suspicion is that the traffic is already assigned a session ID so PA drops the traffic. To fix this I would think I need to change my tunnel and tunnel to core(1/10) connection to be their own zone. Any ideas? I can provided more details if needed.
... View more