Wifi calling failing on PA-5200 or PA-7000 series
18810
Created On 06/25/19 22:36 PM - Last Modified 01/15/21 18:49 PM
Symptom
- Wifi Calling failing
- Packet capture will show inbound ESP packet dropped.
Environment
- PANOS 8.1
- PANOS 9.0
- Multi-dataplane devices (5000, 5200, 7000 series platforms)
- Initial configuration
- Wifi calling passing through firewall
Cause
The way Palo Alto Networks process IPSec pass-through traffic is completely different on multi-dataplane devices.
- The port numbers for IPSec session creation are derived from SPI values that remote IPSec peers exchange during IKE phase 2 of tunnel establishment. We associate sessions based of of the six tuples, Source and destination IPS, Source and Destination Ports, Protocol, and Zone.
- In the case of pass-through IPSec traffic, where the Palo Alto Networks firewall is just an intermediate device between two IPSec peers, it is practically impossible to create a session based on negotiated SPI values, since IKE phase 2 is encrypted and its content is not visible to the firewall. Therefore traffic returning will never match the session initiated from the perspective of your users on the equipment you have.
- In your previous OS version and on the single data plane equipment, this worked differently. Since SPI values can’t be seen in advance, for IPSec pass-through traffic, the Palo Alto Networks firewall creates a session by using generic value 20033 for both source and destination port.
- On a multi-dataplane device, due to an architectural difference, we use a different technique for session creation of IPSec pass-through traffic. On these platforms session ports are again derived based on SPI values( link provided below for this process). Since SPI values are not known in advance firewall creates session as real ESP traffic arrives on the firewall. Having each flow (client2server, server2client) of a single IPSec tunnel using a unique SPI value implies that firewall creates two independent IPSec session for one IPSec tunnel, one per each direction.
PROCESSING IPSEC PASS-THROUGH TRAFFIC ON THE PALO ALTO NETWORKS FIREWALL
WHAT DO THE PORT NUMBERS IN AN IPSEC-ESP SESSION REPRESENT?
CONFIGURING THE PALO ALTO NETWORKS DEVICE AS AN IPSEC PASSTHROUGH
Resolution
NOTE: Security policies must be configured to allow pass-through ESP traffic in both directions on PA-7000 and PA-5200 series platforms.
- Configure a security policy based off known ISP/SP gateways for security reasons so that not just any ipsec traffic to access your internal WiFi zone
- Even a simple configuration on the firewall to allow the Palo Alto Networks firewall to act as vpn passthrough for traffic between vpn peers requires known endpoints for security.
Additional Information
Some resource to find the EPDG urls and IPs are below. For any further information the Service Provider will need to be contacted individually as they do not provide this information directly to Palo Alto.
Wi-Fi Calling on a corporate network
AT&T Wi-Fi Calling LAN and VPN configuration
Sprint will take a call directly into the Technical Support Reps, a Customer Care agent will typically not be able to help you. Here is an article on Sprint Community is a good resource to contact them as they provided information to a Palo Alto client on this case.