I've got a rather bizarre setup that I'm trying to integrate with a new customer using a vm-series 300 in AWS. I have setup and established an IPSEC tunnel (that even comes up when we attempt to send traffic over the tunnel). Where it gets complicated is that their expectation is that we NAT all traffic using public IPs and send the traffic through the tunnel (I should mention that the other side is a Cisco ASA device).
I've attached a fairly simple diagram of the setup that's been proposed by the customer on the other side ( IP addresses changed for safety). To sum it up quickly:
* we have a tunnel established between 22.214.171.124 and 126.96.36.199, this tunnel comes up when I attempt to send traffic through it
* I've routed both 188.8.131.52/32 (our side of the nat translation) and 184.108.40.206/30 (their side of the nat translation) into the tunnel interface
* when i attempt to send traffic through the tunnel over port 443 (ex: curl https://10.0.0.2) from our server the tunnel comes up
* i can also see in the traffic monitor that the NAT policy appears to be applying (I can see the 10.x addresses NAT'd to the 220.127.116.11 and 18.104.22.168) addresses respectively.
The customer is reporting that no traffic is coming through on their side. When I try to use the packet capture tool on our side and filter based on interface (tunnel.1 in this case), then try to send traffic, I don't see any packets. Is there anyway to verify that traffic is indeed flowing over the tunnel?
I could also have done something really wrong here, but I'd expect that if the tunnel comes up, some traffic is attempting to be sent.
Hi @birdperson ,
Yes, you can see encaps and decaps from Network > IPSec Tunnels > Tunnel Info next to your VPN.
You can also see them on the CLI with the command 'show vpn flow tunnel-id <tunnel-id> | match "p p"'. This doc is an excellent VPN troubleshooting reference -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!