The IPSEC Tunnel Comes Up But Hosts Behind Peer Are Not Reachable

The IPSEC Tunnel Comes Up But Hosts Behind Peer Are Not Reachable

55648
Created On 09/25/18 19:36 PM - Last Modified 06/09/23 08:54 AM


Resolution


Issue

Occasionally, on a site-to-site IPSec VPN between a Palo Alto Networks device and another device, Phase 1 and Phase 2 will be up. However, the hosts behind the peer are not reachable.

 

Details

Determine what zone the tunnel interface is located. If the tunnel interface is in the untrust zone, the traffic will be NATed to the public IP, while leaving the tunnel, by the default NAT rule on the Palo Alto Networks device.

 

Resolution

There are two options to resolve this issue:

  • Move the tunnel interface to one of the inside zones, so that the traffic will not get NATed while leaving the tunnel.
  • Create a No-NAT rule for traffic from the inside zones to those destination addresses behind the peer.

 

owner: achalla



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla4CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language