====== IPSec VPN Troublshooting ======
Remember, VM Series firewalls can only handle 300Mbps each way (600Mbps total) per Ipsec tunnel. This is due to the PAN-OS archtiecture. This does not affect hardware firewalls.
More info [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP5TCAW|here]] and [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP8rCAG|here]].
=====Test All VPN Connections=====
<code>test vpn ipsec-sa</code>
===== Clear a VPN Tunnel Sesion =====
Where 1.1.1.1/24 is the other network and 2.2.2.2/24 is our network (and where there is no other traffic flowing between these IP addresses).
<code>clear session all filter destination 1.1.1.1/24</code>
<code>clear session all filter destination 2.2.2.2/24</code>
===== Rebuild VPN Tunnel =====
Or you can clear and recreate the tunnels using Palo commands on the CLI.
<code>clear vpn ipsec-sa tunnel IPSEC_TUN_NAME</code>
<code>clear vpn ike-sa gateway IKE_GW_NAME</code>
<code>test vpn ike-sa gateway IKE_GW_NAME</code>
<code>test vpn ipsec-sa tunnel IPSEC_TUN_NAME</code>

Remember, if you are setting up a VPN from site A which has a changeable IP address and site B which is static, you configure the IKE Gateway at Site B to use a dynamic peer. However, this will not work if you have a GlobalProtect gateway hosted on the same IP.

===== VPN Tunnels Don't Come Up After Cutover =====
Migrate from FortiGate to Palo Alto Networks firewalls. VPN tunnels do not work at all.

  * Disabled the IPsec tunnels and the IKE gateways.
  * Committed.
  * Make a cup of tea and chilled for 15 minutes.
  * Enabled the IPsec tunnels and the IKE gateways.
  * Commited.
  * 5 of the 6 tunnels came up immediatly. The 6th proved more difficult and was caused by something else.

===== Remote Site not Getting Traffic With Proxy-ID =====
An old Cisco ASA 5505 running an unknown version of IOS is at a remote site that runs a 192.168.0.0/24 network.

ASA routes all traffic to the HQ firewall (Cisco ASA 5555) using "interesting traffic" filter 0.0.0.0/0.

Palo Alto Networks PA-5220 running PAN-OS 9.1.8 has the VPN configured and is using a single Proxy-ID of "local:0.0.0.0/0,remote:192.168.0.0/24".

Tunnel comes up straight away. We can see remote traffic coming to the PA-5220 and we can see the PA-5220 firewall returning traffic. Security policy rules and static routing working perfectly.

However, return traffic to the ASA 5505 never reaches the 5505.

Lots of troubleshooting later and we see that if we use any filter other than 0.0.0.0/0, then traffic flow works (e.g. 10.0.0.0/8). Obviously, this is useless as the remote site needs to browes the Internet through the HQ firewalls.

More guessing games later and we reduce IKEv2 to IKEv1. Traffic starts working immediately.