This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About ifstciss
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About ifstciss
07-07-2022
8Posts
3Likes
2Solutions
Jul 07, 2022Last Visited
User
Activity
User
Profile
Latest posts by ifstciss
| Subject | Views | Posted |
|---|---|---|
| 1091 | 12-25-2021 08:16 AM | |
| 1119 | 12-25-2021 07:21 AM | |
| 13017 | 06-03-2021 03:51 AM | |
| 3544 | 08-19-2020 02:33 PM | |
| 3548 | 08-19-2020 09:49 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 3 Likes | 08-17-2020 04:08 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 07-29-2020 09:21 AM |
| Date Last Visited | 07-07-2022 08:26 AM |
| Posts | 8 |
| Total Likes Received | 3 |
12-25-2021
08:16 AM
Never mind, session 1338 seems to have been "stuck". Probably at initial creation of the session (some time ago), the connection didn't work because some other config was incorrect, but the flow was still created and remained cached in fastpath state. Since the VPN gateways just continue trying to connect the bad session/flow was never purged or reinitialized. I have removed it manually from the session browser and the flow was now created successfully and the VPN is successfully connected. Also "show arp all" no longer shows 192.168.1.2 as "(incomplete)". In fact it no longer shows that address at all, which seems to be a good sign in this case. Happy holidays 🙂
... View more
12-25-2021
07:21 AM
Hello, We have an issue with forwarding an IPsec connection to a VPN device behind the PAN-OS FW. So the setup is supposed to be the following: * PAN-OS is using outside interface 192.168.1.1/24 * 192.168.1.2 is an address with DNAT to 10.10.10.1 on an internal vlan Note that the FW also processes IPsec VPNs itself on its own IP 192.168.1.1. NAT rule: * src zone: outside * dst zone: outside * original src address: remote ipsec gw * original dst address: 192.168.1.2 * translated src address: keep * translated dst address: 10.10.10.1 There is a security policy of course * src zone: outside * dst zone: inside * src address: remote ipsec gw * dst address: 192.168.1.2 * app: ipsec Using packet capture, I see that the packet is captured in receive, fw, and drop stages. Digging further using dataplane debug Packet received at fastpath stage, tag 1338, type ATOMIC
Packet info: len 254 port 19 interface 261 vsys 1
wqe index 216243 packet 0x0x80000003144648ca, HA: 0, IC: 0
Packet decoded dump:
L2: 00:04:96:af:51:02->00:1b:17:00:03:13, VLAN 502 (0x8100 0x01f6), type 0x0800
IP: 1.2.3.4->192.168.1.2, protocol 17
version 4, ihl 5, tos 0x00, len 236,
id 34594, frag_off 0x0000, ttl 59, checksum 58234(0xe37a)
UDP: sport 500, dport 500, len 216, checksum 27049
Forwarding lookup, ingress interface 261
L3 mode, router 2
Route lookup in router 2, IP 192.168.1.2
Route found, interface ethernet1/4.508, zone 3
Resolve ARP for IP 192.168.1.2 on interface ethernet1/4.508
ARP pending
Packet dropped, no ARP Why would it try to route or resolve ARP when it is supposed to be responsible for that address itself, e.g. according to https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-policy-rules/proxy-arp-for-nat-address-pools.html I have the feeling that all of this stopped working once PAN-OS FW started processing IPsec VPNs itself on 192.168.1.1. PAN-OS is 10.0.8 Thanks, Marki
... View more
06-03-2021
03:51 AM
What if you want to enforce an application on its default ports and a few other ports. Do you have to create two rules for this? Or does defining a specific service add this port to the default ports for that application? (In that case, how do you define just that port without the default ports) Thanks.
... View more
08-19-2020
02:33 PM
The license does not seem to be the issue. I've opened a case with TAC. They asked me to install (but not necessarily run) 9.1.0 first before upgrading 9.1.3-h1, which works ok. But which is the opposite of what the message clearly says. So the message that is displayed in this case is simply wrong. I'll ask them to file a bug report.
... View more
- Tags:
- e li
08-19-2020
09:49 AM
> means you are grabbing the image from you Palo Alto portal and doing a manual update Yes. > You are running a licensed PA, correct? That may be the issue. We don't have Internet connectivity on these devices yet as they are being staged.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-07-2022
08:26 AM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks