This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
About JoschkaKruse
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About JoschkaKruse
09-09-2021
3Posts
0Likes
0Solutions
Sep 09, 2021Last Visited
User
Activity
User
Profile
Latest posts by JoschkaKruse
| Subject | Views | Posted |
|---|---|---|
| 1254 | 08-19-2021 01:02 AM | |
| 1922 | 12-16-2020 08:42 AM | |
| 2063 | 12-16-2020 02:55 AM |
User Badges
Community Statistics
| Member Since | 05-26-2020 08:43 AM |
| Date Last Visited | 09-09-2021 09:43 AM |
| Posts | 3 |
08-19-2021
01:02 AM
Hello everybody, I'm having a weird issue with VPNs between a Palo Alto Cloud Firewall (PanOS9.1.3h) and Cisco Meraki Z3.All VPN Tunnels are established propely, but after a random period of time during the rekey step, a tunnel stays online, but network traffic can't be send anymore. We are currently having 5 of these connections with the same issues. I was able to capture a log, but I'm not able to troubleshoot it. Did some anonymization, see link attached. LOG On the Meraki site/log, you can see the there are two steps happening repeatedly on a working tunnel. inbound CHILD_SA outbound CHILD_SA At the time the error occurs, the outbound step is missing. Any ideas? Here are the tunnel settings IKEv2 On Palo side IPSec Crypto profile IPSec Protocol ESP DH group 2 LT 1h Encryption aes-256-gcm/cbc Authentication sha256 IKW Crypto profile DH Group group2 Encryption aes-256-cbc Authentication sha 256 Key LT 8h IKEv2 Authentication Multiple 5 On Meraki side Phase1 Encryption AES 256 Authentication SHA256 Pseudo-random Function Defaults to Authentication Diffie-Hellman group 2 Lifetime (sec) 28800 Phase2 Encryption AES 256 Authentication SHA256 PFS group 2 Liftime (sec) 3600 Palo Alto IKE GW Options Passive mode Enabled NAT-T Enabled Advanced Option Strict Cookie Validation turned off Liveness Check Interval (sec) 5
... View more
12-16-2020
08:42 AM
I'm pretty new to Palo and firewalling, so sorry for the lack of info I gave you 😞 We're using a UIA and terminal server agent. Sorry for the faulty info. Thanks for all your responses so far. Just figured it out I guess 🙂 App-id for internal traffic worked properly. Same with user-id somehow. Maybe I had a faulty client for my tests yesterday. So my only issue seemed to be the app-id. I saw that all external requests ended up as incomplete and NAT destination port as 0. So what I missed was, to add the VPN zone to the hide NAT rule. After that, appid was recognized immediately. 🙂 The only thing I'm wondering about is the fact that the user-id gets lost after a longer period of inactivity on the client in the VPN network. Maybe that's cause of the cache settings configured for the user-id?
... View more
12-16-2020
02:55 AM
Hello everyone, we're using a VM300. I've recently set up 2 VPN tunnels, ike1 and ikev2. Tunnels come up successfully, but no user-ID is being transmitted and apps are not being discovered properly. We also have another site connected via MPLS where everything works fine. User-ID has been enabled on the zone where the tunnels are connected to. Any hints and ideas what I am missing?
... View more
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks