This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About yshaikh
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About yshaikh
05-15-2022
3Posts
0Likes
0Solutions
May 15, 2022Last Visited
User
Activity
User
Profile
Latest posts by yshaikh
| Subject | Views | Posted |
|---|---|---|
| 2563 | 07-13-2020 09:41 PM | |
| 2613 | 07-13-2020 07:49 PM | |
| 2647 | 07-13-2020 07:31 PM |
User Badges
Community Statistics
| Member Since | 07-13-2020 07:25 PM |
| Date Last Visited | 05-15-2022 05:12 PM |
| Posts | 3 |
07-13-2020
09:41 PM
@BPry Thanks for your responses and time, really appreciate it. I don't have issue with other proxy id on the same VPN tunnel. Ping works either way. Its just this specific one. There is no disconnection on other proxy ids
... View more
07-13-2020
07:49 PM
if I do icmp from server behind PA firewall nothing happens. if I do icmp from server behind Cisco firewall, ping becomes ok I discussed with Cisco also, they are saying you need to check with Palo Alto why Palo Alto doesn't send anything on VPN for that specific connection, why connection gets alive when do ping from Cisco Server Cisco: > Found no debug logs for the specific SA until we start it manually > Looks like the remote end is unable to start an SA for the particular traffic
... View more
07-13-2020
07:31 PM
We have VPN between Palo Alto and Cisco FMC/FTD. There is user and server traffic on VPN. VPN status is stable. I don't have any user complaining about disconnection. But I am seeing disconnection on specific proxyid. All of sudden I am getting ICMP request time out on working connection. Facing request time out when ping is from Server which is behind Palo Alto. To make connection up, either I need to generate Interesting traffic from FMC or ping from Server which is behind FMC. This restore request time out issue from the Server which is behind Palo Alto. I don't undertstand what could be reason for behind this specific connection. yshaikhadmin@SPDORC-FW02(active)> show vpn flow tunnel-id 358 Request time out started, checked vpn flow: yshaikhadmin@SPDORC-FW02(active)> show vpn flow tunnel-id 358 tunnel Orbit:test-mig-1 id: 358 type: IPSec gateway id: 9 local ip: x peer ip: x inner interface: tunnel.17 outer interface: ethernet1/1 state: active session: 444419 tunnel mtu: 1428 lifetime remain: 2475 sec lifesize remain: 4607944 kb latest rekey: 1125 seconds ago monitor: off monitor packets seen: 0 monitor packets reply:0 en/decap context: 5679 local spi: 9F518E95 remote spi: 8EBEAD75 key type: auto key protocol: ESP auth algorithm: SHA1 enc algorithm: AES256 proxy-id: local ip: x remote ip: x protocol: 0 local port: 0 remote port: 0 anti replay check: no copy tos: no authentication errors: 0 decryption errors: 0 inner packet warnings: 0 replay packets: 0 packets received when lifetime expired:0 when lifesize expired:0 sending sequence: 645 receive sequence: 0 encap packets: 58580 decap packets: 14429 encap bytes: 5230576 decap bytes: 1274216 key acquire requests: 1 owner state: 0 owner cpuid: s1dp0 ownership: 1 when I started ping from server behind cisco FMC then ping restored. I can see that rekeying happens. tunnel Orbit:test-mig-1 id: 358 type: IPSec gateway id: 9 local ip: x peer ip: x inner interface: tunnel.17 outer interface: ethernet1/1 state: active session: 197328 tunnel mtu: 1428 lifetime remain: 3594 sec lifesize remain: 4607999 kb latest rekey: 6 seconds ago monitor: off monitor packets seen: 0 monitor packets reply:0 en/decap context: 391 local spi: 8D78AF05 remote spi: 90040096 key type: auto key protocol: ESP auth algorithm: SHA1 enc algorithm: AES256 proxy-id: local ip: x remote ip: x protocol: 0 local port: 0 remote port: 0 anti replay check: no copy tos: no authentication errors: 0 decryption errors: 0 inner packet warnings: 0 replay packets: 0 packets received when lifetime expired:0 when lifesize expired:0 sending sequence: 4 receive sequence: 0 encap packets: 58593 decap packets: 14433 encap bytes: 5231720 decap bytes: 1274568 key acquire requests: 1 owner state: 0 owner cpuid: s1dp0 ownership: 1 yshaikhadmin@SPDORC-FW02(active)> I think after rekeying process, some how Palo Alto not able to keep this connection alive, not sure why
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-15-2022
05:12 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks