About ms.jzam

Videos are great, but include the CLI/Step-by-Step ... View more

I had a case open, once the issue was resolved they closed the ticket. ... View more

@BPry  I tried to find a DM feature, don't think there is one.  Happy to continue over email. ... View more

@BPry   Happy to provide more detailed configuration for any attempts at duplicating the issue.  What would be needed? ... View more

Ok that's two confirmations on fixing the issue.  I think this deserves to be bumped until we can sniff out a solid understanding of what's happening here.   BUMP! ... View more

@jdprovine   Anything new on this? ... View more

@BrianRa  yes it was because of Panorama!  Thanks! ... View more

@BrianRa   ran the commands as you indicate but received no output:   (active)> (active)> set cli config-output-format set (active)> configure Entering configuration mode [edit] (active)# show network profiles zone-protection-profile <name> <name> | Pipe through a command <Enter> Finish input (active)# show network profiles zone-protection-profile set network profiles zone-protection-profile [edit] (active)# show network profiles zone-protection-profile ZP_DEFAULT_OUT [edit] (active)# ... View more

@jdprovine   I would reccommend taking the same steps that I did in order to get a clue as to the cause.  Include your VPN tunnel network/interface in a packet capture filter, and also your WAN interface where the VPN traffic is coming into.     clear logs and packet filter debug dataplane packet-diag clear all debug dataplane packet-diag clear log log   enable debug debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag set log on debug dataplane packet-diag set log off debug dataplane packet-diag aggregate-logs   review logs less dp-log pan_packet_diag.log   clear your vpn tunnels and see if interesting traffic reestablishes them clear vpn ike-sa  clear vpn ipsec-sa   check and configure your packet filter debug dataplane packet-diag show setting  *was easier for me to configure the packet filter in the WEB-UI   check for vpn sesssions show session all filter source X destination X show vpn flow *pay attention for encap and decap byte increase   check the details of the specific traffic session show session id X   show results of the packet filter show counter global filter packet-filter yes delta yes     There is probably a better order to running these commands, but this is everything I used to try and get to a resolution. ... View more

@jdprovine  Let us know what you find!  If it does fix the issue, that's a much better place to be than disabling the whole ZP policy.   Hopefully we can get some progress on understanding the root cause behind the issue. ... View more

BUMP ... View more

@BPry   IKE Gateway Local IP Address 216.1.x.x Peer IPA 199.79.x.x   IPSec Tunnel used Proxy ID which was Local 172.16.2x.x (Internal Server IP of 10.x.x.x was NATd) Remote 128.1.2xx.x   ... View more