Palo Alto Networks Knowledgebase: Traffic is not flowing across IPSec VPN due to Phase 2 Ciphers
Traffic is not flowing across IPSec VPN due to Phase 2 Ciphers
Created On 02/07/19 23:43 PM - Last Updated 02/07/19 23:44 PM
If your IPSEC VPN tunnel is showing green (up), and phase 1 and phase 2 have completed, but traffic is not flowing. This can be seen inside of Network > IPSec Tunnels.
In order to confirm this is the issue, please run the CLI following command multiple times, once before and once after trying to send data across the VPN tunnel:
> show counter global filter severity drop aspect tunnel category flow
Please look for the following 2 values:
If you see those 2 values increasing, then this might indicate an issue with the IPSec Phase 2 tunnel. Some firewalls may not support newer ciphers (aes-256-gcm, etc) and may require older ciphers for proper functionality.
To resolve this issue, please check with your VPN peer, and verify the ciphers being used. It is possible that the Cipher you are using is not supported by the peer. Once you have a list of the ciphers supported by the peer, verify the encryption ciphers you have selected by going into Network > Network Profiles > IPSec Crypto, select the profile used for this VPN per and add the supported ciphers. Commit and then test.
IPSec Crypto Profile window showing the supported ciphers. Note: If the profile is used by other IPSec VPN peers, and works, then we recommend creating a new Crypto Profile for any new ciphers that are needed.