Palo Alto Networks Knowledgebase: The IPSEC Tunnel Comes Up But Hosts Behind Peer Are Not Reachable

The IPSEC Tunnel Comes Up But Hosts Behind Peer Are Not Reachable

12958
Created On 02/08/19 00:01 AM - Last Updated 02/08/19 00:01 AM
VPNs
Resolution

Issue

Occasionally, on a site-to-site IPSec VPN between a Palo Alto Networks device and another device, Phase 1 and Phase 2 will be up. However, the hosts behind the peer are not reachable.

Details

Determine what zone the tunnel interface is located. If the tunnel interface is in the untrust zone, the traffic will be NATed to the public IP, while leaving the tunnel, by the default NAT rule on the Palo Alto Networks device.

Resolution

There are two options to resolve this issue:

  • Move the tunnel interface to one of the inside zones, so that the traffic will not get NATed while leaving the tunnel.
  • Create a No-NAT rule for traffic from the inside zones to those destination addresses behind the peer.

owner: achalla



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla4CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language