Traffic not passing through an established IPSec tunnel from a VM-Series firewall on OpenStack

Traffic not passing through an established IPSec tunnel from a VM-Series firewall on OpenStack

17959
Created On 07/10/19 21:55 PM - Last Modified 09/10/19 21:23 PM


Symptom


  • Interesting traffic is not passing through the IPSec tunnel
  • VM-Series Firewall, deployed on an OpenStack cloud
  • IPSec Tunnel between OpenStack PA-VM-Series firewall and an outside endpoint
  • Tunnel is up, both Phase 1 and Phase 2 established
  • Packet captures on the firewall show ESP packets being sent from the Firewall
  • Those ESP packets not received on the tunnel peer

Environment


  • VM series firewall
  • OpenStack Cloud
  • IPSec Tunnel

Cause


  • OpenStack Neutron Port Security/Security Groups were dropping the ESP traffic
  • There was a neutron security group rule which should allow ESP traffic

Resolution


  • Disabling Neutron Port Security on the ports corresponding to the firewall dataplane interfaces was the only workaround that allowed ESP traffic to flow.
# neutron port-update ccbd0ed6-3dfd-4431-af29-4a2d921abb38 --port_security_enabled=False


Additional Information


  • Supporting links for OpenStack information
https://superuser.openstack.org/articles/managing-port-level-security-openstack/
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMKaCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language