IPsec passthrough traffic routed through PA-VM via OCI Dynamic Routing Gateway (DRG) does not traverse as expected

IPsec passthrough traffic routed through PA-VM via OCI Dynamic Routing Gateway (DRG) does not traverse as expected

3880
Created On 03/19/20 01:47 AM - Last Modified 04/04/20 00:11 AM


Symptom


  • IPsec passthrough traffic routed through the PA-VM firewall via Dynamic Routing Gateway (DRG) does not traverse as expected
  • Review the topology, notice IPsec tunnel is not terminated on the PA-VM
  • Verify the session details for a specific source and destination
    show session all filter source <src IP> host <Dst IP>
    show session id <session id>
  • You would notice traffic going out but no response will be seen
  • Check for the egress interface and check for relevant vNIC mapped to the interface in OCI and note down the subnet
  • Check the route table to see if the route towards the on-prem network is pointing towards the DRG
  • In the above scenario, no issues are seen on the firewall

Environment


  • Platform: PA-VM
  • PAN-OS / Plugin Version: Any
  • Deployment: Any

Cause


  • This is a limitation/issue with OCI DRG which does not allow static routes attached to its route table that points to a Private IP

Resolution


  • OCI recommended workaround is to bypass DRG and create IPsec Tunnel via Internet Gateway (IGW)
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPA9CAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail