IPsec passthrough traffic routed through PA-VM via OCI Dynamic Routing Gateway (DRG) does not traverse as expected
3880
Created On 03/19/20 01:47 AM - Last Modified 04/04/20 00:11 AM
Symptom
- IPsec passthrough traffic routed through the PA-VM firewall via Dynamic Routing Gateway (DRG) does not traverse as expected
- Review the topology, notice IPsec tunnel is not terminated on the PA-VM
- Verify the session details for a specific source and destination
show session all filter source <src IP> host <Dst IP>
show session id <session id> - You would notice traffic going out but no response will be seen
- Check for the egress interface and check for relevant vNIC mapped to the interface in OCI and note down the subnet
- Check the route table to see if the route towards the on-prem network is pointing towards the DRG
- In the above scenario, no issues are seen on the firewall
Environment
- Platform: PA-VM
- PAN-OS / Plugin Version: Any
- Deployment: Any
Cause
- This is a limitation/issue with OCI DRG which does not allow static routes attached to its route table that points to a Private IP
Resolution
- OCI recommended workaround is to bypass DRG and create IPsec Tunnel via Internet Gateway (IGW)