Traffic via ipsec getting dropped, even though proxy id is up.
684
Created On 10/20/21 10:11 AM - Last Modified 11/17/25 20:48 PM
Symptom
- Packets getting dropped by the firewall even though the vpn is up.
- The traffic matches to the proxy id and the proxy id is up.
In case if you take flow basic for this traffic, you will notice the similar logs:
Packet enters tunnel encap stage, tunnel interface null Resolving tunnels in multi-tunnel case for ifp:tunnel.1000 Resolved tunnel 100 via IPSec proxy ID match Tunnel 100 not active, to activate tunnel
Environment
All PanOS
Cause
Example: if you have two proxy id as below:
1>> 12.12.12.0/24 ---- 15.15.15.0/24
2>>> 12.12.12.1/32 ---- 15.15.15.1/32
The second proxy-id is up and the first proxy id is down.
dmin@TEST-1(active)> show vpn flow name vpn:first
>>>output omitted
protocol: ESP
auth algorithm: NOT ESTABLISHED
enc algorithm: NOT ESTABLISHED
proxy-id:
local ip: 12.12.12.0/24
remote ip: 15.15.15.0/24
protocol: 0
local port: 0
remote port: 0
admin@TEST-VM-1(active)> show vpn flow name vpn:second
Output omitted:
protocol: ESP
auth algorithm: SHA1
enc algorithm: AES128
proxy-id:
local ip: 12.12.12.1/32
remote ip: 15.15.15.1/32
protocol: 0
local port: 0
remote port: 0
When you initiate a traffic from 12.12.12.1 to 15.15.15.1, the traffic will be dropped at the firewall as its top-down approach and the first matching proxy-id is down.
Resolution
- On the palo alto firewall, when you have overlap subnet used in proxy id, then the subnet with less network mask should be kept above.