Saucepan

User Tools

Site Tools

Trace: pan_configurator vmware_workstation multi_vsys gcp threat-logs oracle aws_transit_gateway multicast azure vpn
paloaltonetworks:troubleshooting:vpn

This is an old revision of the document!

Table of Contents

IPSec VPN Troublshooting

Remember, VM Series firewalls can only handle 300Mbps each way (600Mbps total) per Ipsec tunnel. This is due to the PAN-OS archtiecture. This does not affect hardware firewalls. More info here and here.

Test All VPN Connections

test vpn ipsec-sa

Clear a VPN Tunnel Sesion

Where 1.1.1.1/24 is the other network and 2.2.2.2/24 is our network (and where there is no other traffic flowing between these IP addresses). 

clear session all filter destination 1.1.1.1/24
clear session all filter destination 2.2.2.2/24

Rebuild VPN Tunnel

Or you can clear and recreate the tunnels using Palo commands on the CLI. 

clear vpn ipsec-sa tunnel IPSEC_TUN_NAME
clear vpn ike-sa gateway IKE_GW_NAME
test vpn ike-sa gateway IKE_GW_NAME
test vpn ipsec-sa tunnel IPSEC_TUN_NAME

Remember, if you are setting up a VPN from site A which has a changeable IP address and site B which is static, you configure the IKE Gateway at Site B to use a dynamic peer. However, this will not work if you have a GlobalProtect gateway hosted on the same IP.

VPN Tunnels Don't Come Up After Cutover

Migrate from FortiGate to Palo Alto Networks firewalls. VPN tunnels do not work at all.

  • Disabled the IPsec tunnels and the IKE gateways.
  • Committed.
  • Make a cup of tea and chilled for 15 minutes.
  • Enabled the IPsec tunnels and the IKE gateways.
  • Commited.
  • 5 of the 6 tunnels came up immediatly. The 6th proved more difficult and was caused by something else.

Remote Site not Getting Traffic With Proxy-ID

An old Cisco ASA 5505 running an unknown version of IOS is at a remote site that runs a 192.168.0.0/24 network.

ASA routes all traffic to the HQ firewall (Cisco ASA 5555) using “interesting traffic” filter 0.0.0.0/0.

Palo Alto Networks PA-5220 running PAN-OS 9.1.8 has the VPN configured and is using a single Proxy-ID of “local:0.0.0.0/0,remote:192.168.0.0/24”.

Tunnel comes up straight away. We can see remote traffic coming to the PA-5220 and we can see the PA-5220 firewall returning traffic. Security policy rules and static routing working perfectly.

However, return traffic to the ASA 5505 never reaches the 5505.

Lots of troubleshooting later and we see that if we use any filter other than 0.0.0.0/0, then traffic flow works (e.g. 10.0.0.0/8). Obviously, this is useless as the remote site needs to browes the Internet through the HQ firewalls.

More guessing games later and we reduce IKEv2 to IKEv1. Traffic starts working immediately.

paloaltonetworks/troubleshooting/vpn.1614961131.txt.gz · Last modified: (external edit)