VPN Tunnel Traffic Encapsulation Incrementing but no Decaps
Traffic from one side sees proper encaps and decaps whereas traffic from the other side does not see decaps.
The issue is the tunnel terminates on an interface in a zone different from where the ESP (Encapsulation Security Payloads) packets originate.
- Tunnel terminating on an IP on Ethernet/2 in DMZ zone.
- ESP packets ingressing on Ethernet/1 in WAN zone.
After the IKE negotiation completes, the Palo Alto Networks firewall will create a tunnel session for ESP traffic to be able to properly encapsulate and decapsulate traffic. Incoming traffic is coming in on Ethernet/1 in the WAN zone. It will not match the tunnel session because the tunnel session is expecting ESP traffic to ingress on the DMZ zone.
Move the IKE gateway to an interface in the same WAN zone (can be loopback interface). The incoming ESP traffic can be properly matched and then a proper decapsulation can be performed.