The VPN between Palo Alto and the Checkpoint firewall does not come up when the Checkpoint device is the IKE initiator.
2777
Created On 03/01/24 16:45 PM - Last Modified 06/14/24 02:12 AM
Symptom
- Palo Alto firewall is an IKE responder.
- The checkpoint device is the IKE initiator.
- There is no NAT on the forwarding path.
- NAT traversal option is enabled on the Palo Alto firewall
Network -> Ike gateways -> Click on gateway name -> Advanced option
Environment
- Prisma Access
- Supported PAN-OS
- CheckPoint Versions R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40
Cause
Defect in older versions of Checkpoint software - sk165003
Resolution
- For resolution, upgrade Checkpoint devices which resolves the above defect.
- Workaround is to make Palo Alto an IKE initiator and Checkpoint an IKE responder.
- Another workaround is to disable NAT-T on the firewall if its not needed.
- The same error message maybe displayed even after disabling the NAT-T or making the firewall the initiator.
- Here, Delete the tunnel configuration, commit to the firewall, and reconfigure the tunnel without NAT-T.
Additional Information
- IKEMGR.log (less mp-log ikemgr.log) shows as "peer behind NAT" even though the peer is not behind a NAT device.
admin@FW(active)> tail follow yes mp-log ikemgr.log
.......
2024-02-08 20:22:09.200 -0500 [INFO]: { 1: }: NAT detected: peer behind NAT >>>> Message indicating that peer is behind NAT
-
The global counter shows that IKE_SA_INIT response dropped by flow_tunnel_decap_natt_tp_0
admin@FW(active)> show counter global filter packet-filter yes delta yes
flow_tunnel_decap_natt_tp_0 7 0 drop flow tunnel Packet decapped: tunnel entry not found in nat-t decap
flow_ip_cksm_sw_validation 6 0 info flow pktproc Packets for which IP checksum validation was done in software