Palo Alto Networks Knowledgebase: Traffic is not flowing across IPSec VPN due to Phase 2 Ciphers

Traffic is not flowing across IPSec VPN due to Phase 2 Ciphers

7294
Created On 02/07/19 23:43 PM - Last Updated 02/07/19 23:44 PM
VPNs
Resolution

Symptom

If your IPSEC VPN tunnel is showing green (up), and phase 1 and phase 2 have completed, but traffic is not flowing. This can be seen inside of Network > IPSec Tunnels.

 

Confirmation

In order to confirm this is the issue, please run the CLI following command multiple times, once before and once after trying to send data across the VPN tunnel:

> show counter global filter severity drop aspect tunnel category flow

Please look for the following 2 values:

  • flow_tunnel_decap_err
  • flow_tunnel_ipsec_bad_length

Cause

If you see those 2 values increasing, then this might indicate an issue with the IPSec Phase 2 tunnel. Some firewalls may  not support newer ciphers (aes-256-gcm, etc) and may require older ciphers for proper functionality.

 

Resolution

To resolve this issue, please check with your VPN peer, and verify the ciphers being used. It is possible that the Cipher you are using is not supported by the peer.  Once you have a list of the ciphers supported by the peer, verify the encryption ciphers you have selected by going into Network > Network Profiles > IPSec Crypto, select the profile used for this VPN per and add the supported ciphers. Commit and then test. 

2017-02-23_ipsec p2 crypto.pngIPSec Crypto Profile window showing the supported ciphers.
Note: If the profile is used by other IPSec VPN peers, and works, then we recommend creating a new Crypto Profile for any new ciphers that are needed.

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClodCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language