The IPSEC Tunnel Comes Up But Hosts Behind Peer Are Not Reachable
55648
Created On 09/25/18 19:36 PM - Last Modified 06/09/23 08:54 AM
Resolution
Issue
Occasionally, on a site-to-site IPSec VPN between a Palo Alto Networks device and another device, Phase 1 and Phase 2 will be up. However, the hosts behind the peer are not reachable.
Details
Determine what zone the tunnel interface is located. If the tunnel interface is in the untrust zone, the traffic will be NATed to the public IP, while leaving the tunnel, by the default NAT rule on the Palo Alto Networks device.
Resolution
There are two options to resolve this issue:
- Move the tunnel interface to one of the inside zones, so that the traffic will not get NATed while leaving the tunnel.
- Create a No-NAT rule for traffic from the inside zones to those destination addresses behind the peer.
owner: achalla