VPN Tunnel Traffic Encapsulation Incrementing but no Decaps

VPN Tunnel Traffic Encapsulation Incrementing but no Decaps

22368
Created On 09/26/18 13:50 PM - Last Updated 02/07/19 23:47 PM


Resolution

Issue

Traffic from one side sees proper encaps and decaps whereas traffic from the other side does not see decaps.

Cause

The issue is the tunnel terminates on an interface in a zone different from where the ESP (Encapsulation Security Payloads) packets originate.

Example:

  • Tunnel terminating on an IP on Ethernet/2 in DMZ zone.
  • ESP packets ingressing on Ethernet/1 in WAN zone.

After the IKE negotiation completes, the Palo Alto Networks firewall will create a tunnel session for ESP traffic to be able to properly encapsulate and decapsulate traffic. Incoming traffic is coming in on Ethernet/1 in the WAN zone.  It will not match the tunnel session because the tunnel session is expecting ESP traffic to ingress on the DMZ zone.

Resolution

Move the IKE gateway to an interface in the same WAN zone (can be loopback interface). The incoming ESP traffic can be properly matched and then a proper decapsulation can be performed.

owner: rkim



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsiCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language