I have a site to site VPN tunnel between PA-820 and Cisco ASA. The tunnel comes up successfully for both Phase 1 & 2. However, no traffic seems to be flowing between the endpoints.
Both the PA and ASA are behind a NAT device, I tried to enable NAT-T with no luck. Disabling it instead brings up the tunnel.
Running "show vpn flow tunnel-id x | match endap" I can see some encaps, but the decaps are 0. On the ASA side both encaps and decaps are 0.
Although I configured the static route on the virtual router pointing to the right tunnel interface, but it seems as the PA does not send the VPN traffic to the destination.
One thing worth mentioning is that the private IP of the outside interface of the ASA has same subnet ID as the one I have between the PA and the local default gateway.
Any suggestion is appreciated.
Unfortunately it did not work, but it's very much appreciated anyway :)
Your help was very useful anyway, and this forum is definitely the way to go when it comes to PA. :), I will recommend it on my blog https://bluenetsec.com/blog/ which is more dedicated to Cisco security topics, at least for now :)
Good to hear you found the solution! I was starting to get worried I overlooked something obvious ;) Thanks for ordering the book! I hope you find it useful :)
The issue is fixed now. It was caused by the missing configuration on the ISP router which was denying NAT-T traffic, this is why it was not working when I tried to enable NAT-T on the PA. After opening port 4500/udp on the ASA's ISP router and after I enabled NAT-T for this tunnel, everything start working as expected. I learned a lot during this troubleshooting journey through, and I am now looking more forward to receive your book that I ordered on Amazon:
https://www.amazon.co.uk/Mastering-Palo-Alto-Networks-industry-leading/dp/1789956374/ref=sr_1_3?dchild=1&keywords=palo+alto+networks&qid=1596997780&quartzVehicle=109-1385&replacementKeywords=palo+networks&sr=8-3
Thank you for all your help on this.
Yes Debug dataplane packet-diag clear log log
Is it possible to clear the pan_packet_diag.log file content before I start again?
Debug dataplane packet-diag clear filter all
Ok, how to clear all the filters so I can start again?
Also, you don't need to define all the filters, your first filter is from the Palo to the ASA but you set an ingress interface while this is outbound traffic, so leave out the interface and focus on the source/dest IPs
After which step shall I apply the filter on?
Don't forget to turn on the filters Debug dataplane packet-diag set filter on
I must have done something wrong, the log file was showing a bunch of details not only related to the filters I sat. I followed these steps:
debug dataplane packet-diag set filter match source <PA-endpoint> destination <ASA-endpoint> ingress-interface <PA-internal-int>
debug dataplane packet-diag set filter match ingress-interface <PA-external-int> source <ASA-public-ip>
debug dataplane packet-diag set filter match source <ASA-public-ip> destination <PA-external-private-ip>
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on
Ping from endpoint behind PA to the one behind the ASA
debug dataplane packet-diag set log off
debug dataplane packet-diag aggregate-logs
less mp-log pan_packet_diag.log
Are those steps correct?
True Ok So, flow basic Make sure to set filters first Between the client and server on the inside Between the external interface and remote public IP Between the remote public IP and the external ip Debug dataplane packet-diag set log feature flow basic Debug dataplane packet-diag set log on Run a test *Set log off Wait a minute Debug dataplane packet-diag aggregate-logs Wait a few more minutes Less mp-log pan_packet-diag.log Find the interface packets are being pushed into and if there's any communication between the endpoints
I see, but I can't see a good value in running the capture in this case since it would not show me what being passed through the tunnel interface.
you can set all kinds of filters, was just pointing out you can only pick ingress-interface where egressinterface would have been a nice filter option Last step is to enable flow basic (debug dataplane packet-diag set log feature flow basic) but this gets extremely deep dive-y...
Is it possible to do a real time capture on PA?
If the capture is going to be only on the ingress interface it would not help much since I know the traffic goes through the ingress interface. That's because when I try to ping the remote endpoints behind the ASA, I see the tunnel being triggered on the PA.
I am running out of ideas of how to fix this interesting issue.
You can set up packetcapure and simultaneously follow global counters Unfortunately the only 'interface' option is on ingress To set filters Debug dataplane packet-diag set filter match <tab for filters> To set captures Debug dataplane packet-diag set capture stage receive|transmit|drop file <filename> Then turn both on Debug dataplane packet-diag set filter on * Set capture on Or via GUI monitor > packet capture Show counter global filter delta yes packet-filter yes (do one before you start to set the delta)
I did without the condition keyword since we have only one peer configured on the ASA, I could not spot anything wrong. I am still thinking that the issues are more related to routing rather than the tunnel itself.
Is there any way on PA to capture that is being sent out of the tunnel interface? on the ASA that is possible, but unfortunately the ASA in this case has an old code that does not support that feature.
Have you tried debug crypto condition peer <peer IP> Debug crypto ipsec 255
This is what I see on the ASA:
xxx-xx(config)# sh vpn-sessiondb de l2l | i Tx|Rx
Bytes Tx : 0 Bytes Rx : 0
Bytes Tx : 0 Bytes Rx : 0
Pkts Tx : 0 Pkts Rx : 0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0