To test this feature, visit your live site.

Issue with S2S VPN - no encap

We have the tunnel established, but traffic doesn't appear to be hitting the tunnel only when leaving my side. I see no packet encaps, but do get decaps. I've went over and over the config and I'm not seeing anything that stands out. The remote side is a Cisco ASR1002-X.

I was thinking it may either be route or security profile related, but I have the route setup to use the tunnel.10 interface for this specific VPN in the virtual router. The odd thing on the security policy is I have added one for this traffic at the top of my list basically, but when I view the logs when sending test traffic the traffic is hitting our catch all at the bottom of the list.

Why would it not be hitting my rule toward the top? Any help is greatly appreciated!

7 comments

Comments (7)

Reaper

Oct 07, 2021

Awesome!

Reaper

Oct 06, 2021

1. Correct 2. Not necessarily, I've seen it "magically" establish but then fail on the actual communication, especially if there's more than 1 pair, or supernets 3. Zones would be internal interface to tunnel interface zone (i.e. trust to vpn and reverse), ones are determined after a route lookup (so if the route points outward, the destination zone would become untrust) 4. That's good! Any requirement for NAT?

iTechThingsSeriously

Oct 06, 2021

Replying to

2. My current proxy IDs are just a single IP locally to the /16 subnet remotely.

3. Ah...I think I follow. I have security policies for trust to a newly created VPN zone and reverse.

4. No NAT requirement.

In relation to zones, I consistently see the Traffic Monitor stating that the destination zone is untrust when trying to send traffic to the remote side, but shouldn't it be the VPN zone I created? Is it untrust because 150.2.x.x is publicly routable vs being a private IP on the remote side, yet I'm trying to send traffic to it over a VPN?

Reaper

Oct 06, 2021

Replying to

If you're seeing the destination zone as untrust, there's something up with your routing table: the session is matching the default route rather than the more specific route for the tunnel Try from CLI `show routing fib virtual-router <NameOfYourVR>` to see if the route is there Make sure the subnet mask is right

iTechThingsSeriously

Oct 06, 2021

Replying to

@Reaper With your input, I think I may have found it.

So this Palo has a Policy Based Forwarding rule configured from trusted zones that says to send everything out of the WAN interface that isn't destined for a private IP, i.e. Negate: 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/16.

If I'm following correctly, that meant this public 150.x.x.x network was getting snatched up by this PBF rule and being sent straight out the wan interface instead of the tunnel interface. I added 150.2.0.0/16 to the negated destinations and was then able to verify encapsulated packets leaving the tunnel interface.

Thank you! This was driving me nuts.

Reaper

Oct 06, 2021

A few things could cause this - no route into the tunnel - mismatched proxyID on the tunnel - mismatched zone names (see routing table) - local routing overlap (conflicting local subnet)

iTechThingsSeriously

Oct 06, 2021

Replying to

Thanks Reaper. I'm very green on PAN. I want to make sure I'm following.

- no route into the tunnel -wouldn't the this be achieved in the Virtual Router config under Static Routes? From my config. Name: Tunnel2Peer, Destination: 150.2.0.0/16, Interface: tunnel.#, Next Hop: None

- mismatched proxy ID: If this was mismatched, wouldn't the result be that phase 2 wouldn't establish at all?

- mismatched zone names: Sorry, I'm not sure where to see zones in the routing table. All I see is destination, next hop, metric, weight, flags, age, interface

- local routing overlap: i.e. 150.2.0.0/16 would have to exist on my side? It definitely does not in my case.

Forum: Forum