Comprehensive Troubleshooting Guide for IPsec Tunnel Issues

Comprehensive Troubleshooting Guide for IPsec Tunnel Issues

10043
Created On 04/11/25 20:49 PM - Last Modified 05/16/25 16:42 PM


Objective


  • Ensure the successful establishment of the IPsec tunnel

  • Maintain tunnel stability and uptime

  • Verify bidirectional traffic flow through the tunnel

Environment


  • NGFW
  • IPsec tunnel

Procedure


  1. Initial Checks
    1. Verify the IPsec Tunnel Configuration: Ensure that the IKE Gateway, IPsec Tunnel, and the corresponding security policies and routes are correctly configured on both ends.
    2. Confirm that Phase 1 (IKE SA) is established. Use the CLI command:  
      > show vpn ike-sa
    3. Confirm that Phase 2 (IPsec SA) is established. Use the CLI command: 
      > show vpn ipsec-sa
    4. Check Peer IP Reachability: Use the ping or traceroute to validate connectivity between the two Gateways' IPs of the IPsec tunnel.
  2. Common Issues and Root Causes
    1. Tunnel Fails to Establish (Tunnel Down)
      1. Incorrect or mismatching of pre-shared (PFS) Key. Refer to Pre-shared Key Mismatch.
      2. Mismatched IKE or IPsec parameters (encryption, authentication, DH group, lifetime).
      3. Incorrect local/peer identification.
      4. Firewall blocking IKE or ESP traffic. Verify that firewalls on the path allow IPSec traffic (UDP port 500 for IKE, UDP port 4500 for NAT-T, and ESP protocol number 50). 
      5. Interface binding or routing issues.
      6. NAT-T not enabled when required: If your IPsec tunnel is configured between two PAN-FW and there's a NAT device in between, make sure to enable NAT Traversal (NAT-T) on both sides of the tunnel, then check IPSec VPN Tunnel with NAT Traversal. If your IPsec tunnel is configured between PAN-FW and Cisco ASA and there's a NAT device in between, then make sure to enable NAT-T, but also that the Cisco ASA has the NAT-T port 4500/udp open.
    2. Tunnel Established, But No Traffic Passes
      1. Incorrect or missing proxy-ID configuration. 
      2. Incorrect security policies (missing or too restrictive).
      3. Incorrect routing entries (static or dynamic).
      4. Replay protection dropping packets. Check if the zone protection profile is applied to the zone of the outer interface of the tunnel of both firewalls under Network > Zone , and if that is the case, if the packet-based attack protection with Strict IP Address is checked for that zone profile under Network > Network Profiles > Zone Protection. In that case, test disabling that check and committing that change to see if that fixes the problem.
      5. MTU mismatch or fragmentation issues. MTU (Maximum Transmission Unit) issues can cause packet fragmentation problems. Adjust the MTU size if needed. 
      6. NAT-T issues.
      7. Session not being created. Use the CLI command:  
        > show session all
    3. Traffic Flows in Only One Direction
      1. Asymmetric routing.
      2. Missing return route or reverse security policy.
      3. Firewall or upstream device dropping return packets.
      4. Incomplete session setup.
      5. NAT devices modify only one direction of traffic.
  3. CLI Commands, Logs, & Packet Capture
    1. Troubleshooting Site-to-Site VPN using CLI.
    2. IPsec tunnel logs can be found in IKE manager logs. Use the CLI: 
      less mp-log ikemgr.log

      or the system log. Use the UI Monitor > Logs >System or the CLI: 

      show log system direction equal backward
    3. Perform a packet capture: To capture traffic for IPsec VPN negotiation and NAT Traversal, you can collect packet captures specifically for UDP port 500 (used by IKE) and UDP port 4500 (used by NAT-T), as well as ESP protocol (50). Set filters using UI or CLI commands:
      debug dataplane packet-diag set filter match source <Gateway Local IP> destination <Gateway Peer IP> destination-port 500 protocol 17
debug dataplane packet-diag set filter match source <Gateway Peer IP> destination <Gateway Local IP> destination-port 500 protocol 17
debug dataplane packet-diag set filter match source <Gateway Local IP> destination <Gateway Peer IP> protocol 50
debug dataplane packet-diag set filter match source <Gateway Peer IP> destination <Gateway Local IP> protocol 50
      Replace 500 with 4500 when NAT-T is enabled.
      Refer to the Packet Capture document to complete the rest of the settings and perform the packet capture. 

  • For more information about how to troubleshoot an IPsec tunnel, refer to:
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TN3fKAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail