How to troubleshoot no traffic flow through IPsec tunnel
66013
Created On 08/04/22 16:50 PM - Last Modified 08/23/23 20:58 PM
Objective
Troubleshooting no traffic flow through IPsec tunnel
Environment
- Palo Alto Firewall
- IPsec tunnel
Procedure
- Go through the checks mentioned in How to troubleshoot traffic flowing in only one direction through IPsec tunnel which are mostly related to configuration on the PAN-FW.
- If your IPsec tunnel is configured between two PAN-FW and there's a NAT device in between then make sure to enable NAT Traversal (NAT-T) on both side of the tunnel, then check IPSec VPN Tunnel with NAT Traversal.
- If your IPsec tunnel is configured between PAN-FW and Cisco ASA and there's a NAT device in between, then make sure to enable NAT-T but also that the Cisco ASA has the NAT-T port 4500/udp open.
- If your IPsec tunnel is up but packets are getting dropped with wrong SPI Counter Increase, then check the highlighted link.
- If your IPsec tunnel is up and you have configured dynamic routing over IPsec against a Cisco router, then make sure you have followed the steps listed in How to Configure Dynamic Routing over IPSec against Cisco routers.
- If Traffic not passing through an established IPSec tunnel from a VM-Series firewall on OpenStack, then check the highlighted link.
- Check if any devices upstream is performing port-and-address-translations. Because ESP is a layer 3 protocol, ESP packets do not have port numbers. When such devices receive ESP packets, there is a high possibility they may silently drop them, because they do not see the port numbers to translate.
- If none of the above fixes your problem, then refer to Resource List: IPSec Configuring and Troubleshooting or contact our technical support team.