Saucepan

User Tools

Site Tools

Trace: multi_vsys gcp threat-logs azure multicast vpn oracle disk_space aws_transit_gateway firewall_resources
paloaltonetworks:troubleshooting:vpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:troubleshooting:vpn [2020/08/31 06:30] – external edit 127.0.0.1paloaltonetworks:troubleshooting:vpn [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== IPSec VPN Troublshooting ====== ====== IPSec VPN Troublshooting ======
 +Remember, VM Series firewalls can only handle 300Mbps each way (600Mbps total) per Ipsec tunnel. This is due to the PAN-OS archtiecture. This does not affect hardware firewalls.
 +More info [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP5TCAW|here]] and [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP8rCAG|here]].
 =====Test All VPN Connections===== =====Test All VPN Connections=====
 <code>test vpn ipsec-sa</code> <code>test vpn ipsec-sa</code>
Line 14: Line 16:
  
 Remember, if you are setting up a VPN from site A which has a changeable IP address and site B which is static, you configure the IKE Gateway at Site B to use a dynamic peer. However, this will not work if you have a GlobalProtect gateway hosted on the same IP. Remember, if you are setting up a VPN from site A which has a changeable IP address and site B which is static, you configure the IKE Gateway at Site B to use a dynamic peer. However, this will not work if you have a GlobalProtect gateway hosted on the same IP.
 +
 +===== VPN Tunnels Don't Come Up After Cutover =====
 +Migrate from FortiGate to Palo Alto Networks firewalls. VPN tunnels do not work at all.
 +
 +  * Disabled the IPsec tunnels and the IKE gateways.
 +  * Committed.
 +  * Make a cup of tea and chilled for 15 minutes.
 +  * Enabled the IPsec tunnels and the IKE gateways.
 +  * Commited.
 +  * 5 of the 6 tunnels came up immediatly. The 6th proved more difficult and was caused by something else.
 +
 +===== Remote Site not Getting Traffic With Proxy-ID =====
 +An old Cisco ASA 5505 running an unknown version of IOS is at a remote site that runs a 192.168.0.0/24 network.
 +
 +ASA routes all traffic to the HQ firewall (Cisco ASA 5555) using "interesting traffic" filter 0.0.0.0/0.
 +
 +Palo Alto Networks PA-5220 running PAN-OS 9.1.8 has the VPN configured and is using a single Proxy-ID of "local:0.0.0.0/0,remote:192.168.0.0/24".
 +
 +Tunnel comes up straight away. We can see remote traffic coming to the PA-5220 and we can see the PA-5220 firewall returning traffic. Security policy rules and static routing working perfectly.
 +
 +However, return traffic to the ASA 5505 never reaches the 5505.
 +
 +Lots of troubleshooting later and we see that if we use any filter other than 0.0.0.0/0, then traffic flow works (e.g. 10.0.0.0/8). Obviously, this is useless as the remote site needs to browes the Internet through the HQ firewalls.
 +
 +More guessing games later and we reduce IKEv2 to IKEv1. Traffic starts working immediately.
 +
paloaltonetworks/troubleshooting/vpn.1598855443.txt.gz · Last modified: (external edit)