#Palo alto networks vpn udp how to#
This wraps up this little post about Palo Alto VPN tunnel up with no traffic.In this article, techbast will show you how to configure IPSec VPN Site to site between Sophos Firewall device and Palo Alto with Sophos device behind another Sophos Firewall device. Therefore, when the traffic was received back from the Palo Alto, the ISP router could associate it to those state entries created for the ASA. This means the ISP router was creating state entries for the traffic leaving it going to the Palo Alto. Now why it worked without enabling NAT-T and only when the traffic was initiated from the ASA side?!, I think that was because in that case the ASA's ISP router would have applied NAT'ing for the traffic sourced from the ASA destined to the Palo Alto. However, with NAT-T enabled, without port 4500/udp opened on the ASA's ISP router, the traffic was sent encapsulated into a UDP packet using port 4500/udp as the source and destination port, but because the ASA's ISP router had that port closed it was dropping that traffic. More specifically the issue was that, without NAT-T enabled, the Palo Alto was sending the ESP packets across the VPN tunnel as expected, and because the ESP packets encrypts the L4 headers, the remote ASA's ISP router could not route them to the ASA, hence it was discarding them. After opening up that port the data started flowing from both ends successfully. Doing some more investigation, it ended up that the ASA ISP router had the NAT-T port 4500/udp closed. NAT-T seemed to be failing between the two firewalls, and it looked like the remote ASA was not using port 4500/udp as it should have. Looking at the above snippet there was a couple of interesting things. On the other side, when I tried to enable NAT-T on the Palo Alto, Phase 1 tunnel could not be established, and I got a similar snippet as the following from the debugs (the IP addresses have been replaced): Interestingly I could not see anything worth mentioning on the debugs or logs output. Digging deeper into this and asking some help on (which I highly recommend to anyone wants to put on the table any Palo Alto topic to be discussed and received prompted answers from expert people), I started enabling some debugs on the Palo Alto and ASA. However, when I tried to initiate the traffic from the ASA side, everything was working as expected. And on the ASA side I could not see anything landing into the IPsec tunnel or even hitting the ASA outside interface. When I tried to initiate the traffic from the Palo Alto side, I could see the encaps increasing on the IPSec tunnel, but zero decaps. However, there was no traffic passing through between the local and the remote encryptions domains. Basically, the VPN tunnel was configured with no NAT-T enabled where I could see both Phase 1 and 2 being successfully established between the two firewalls.
Here is the scenario I came across with a site to site VPN tunnel between a Palo Alto and a Cisco ASA behind a NAT device. This post covers a potential issue that might cause a Palo Alto VPN tunnel to be up but with no traffic flowing between the encryption domains.
0 kommentar(er)
