How To Troubleshoot Vpn Connectivity Issues Palo Alto Networks Live 2u302i
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 3i3n4
Overview 26281t
& View How To Troubleshoot Vpn Connectivity Issues Palo Alto Networks Live as PDF for free.
More details 6y5l6z
- Words: 1,012
- Pages: 3
How to Troubleshoot VPN Connectivity Issues | Palo Alto Networks Live
3/25/15, 6:00 AM
All Places > Knowledge Base > Documents
How to Troubleshoot VPN Connectivity Issues
Version 8
created by kprakash on Aug 28, 2012 2:37 PM, last modified by panagent on Jan 15, 2015 6:25 PM
Phase 1 Try pinging the peer IP from the PA external interface. This is to rule out ISP related issues. Ensure that pings are enabled on the peers external interface If pings have been blocked per security requirements, check if the other peer is responding to the main/aggressive mode messages, or the DPDs (Check for the responses of the "Are you there?" messages from the peer in the system logs in the Monitor tab or under ikemgr logs) Check whether the ike identity is configured correctly Check if the policy is in place to permit IKE and IPSEC applications. Usually this policy is not required if there is no clean up rule configured on the box. If a clean-up rule is configured, the policy is configured usually from the external zone to the external zone. Check if proposals are correct (If incorrect, logs about the mismatch can be found under the system logs, or using the command less mp-log ikemgr Check if preshared key is correct (If incorrect, logs about the mismatch can be found under the system logs, or using the command less mp-log ikemgr Take packet captures to analyze the traffic. Use filters to narrow the scope of the captured traffic. Useful commands: > show vpn ike-sa gateway
> test vpn ike-sa gateway
> debug ike stat Advanced commands: For detailed logging, turn on the logging level to "debug". > debug ike global on debug > less mp-log ikemgr.log To view the main/aggressive and the quick mode negotiations, it is possible to turn on pcaps for capturing these negotiations. Please note that the messages 5 and 6 on-wards in the main mode and all the packets in the quick mode have their data payload encrypted. > debug ike pcap on > view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap Turn off the debugs > debug ike pcap off https://live.paloaltonetworks.com/docs/DOC-3671
Page 1 of 4
How to Troubleshoot VPN Connectivity Issues | Palo Alto Networks Live
3/25/15, 6:00 AM
Configuring packet filter and captures will restrict pcaps only to the one worked on, debug ike pcap on will show pcaps for all the vpn traffic. To check if NAT-T is enabled, packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode. Check if vendor id of the peer is ed on our box and vice-versa Phase 2 Check if the firewalls are negotiating the tunnels, and ensure that 2 unidirectional SPIs exist: > show vpn ipsec-sa > show vpn ipsec-sa tunnel
Check if proposals are correct (If incorrect, logs about the mismatch can be found under the system logs under the monitor tab, or using the command less mp-log ikemgr Check if pfs is enabled on both ends (If incorrect, logs about the mismatch can be found under the system logs under the monitor tab, or using the command less mp-log ikemgr Check the proxy-id configuration. This is usually not required when the tunnel is between two Palo Alto Networks firewalls, but when the peer is from another vendor, IDs usually need to be configured. A mismatch would be indicated under the system logs, or using the command: > less mp-log ikemgr Useful commands: > show vpn flow name
> show vpn flow name
| match bytes (Check if encapsulation and decapsulation bytes increasing. If the firewall is ing traffic fine both of these values should be increasing) > show vpn flow name
| match bytes (If encapsulation bytes are increasing and decapsulation is constant, that means the firewall are sending packets but not receiving ); check if there is no policy that is dropping the traffic, or if there is a port translating device in front of PAN that might be dropping the ESP packets. > show vpn flow name
| match bytes (If decapsulation bytes are increasing and encapsulation is constant, that means the firewall is receiving packets but not transmitting ); check if there is no policy that is dropping the traffic > test routing fib-lookup virtual-router default ip <destination IP> -------------------------------------------------------------------------------runtime route lookup -------------------------------------------------------------------------------virtual-router:
default
destination:
10.5.1.1
result:
interface tunnel.1
> show routing route
https://live.paloaltonetworks.com/docs/DOC-3671
Page 2 of 4
How to Troubleshoot VPN Connectivity Issues | Palo Alto Networks Live
3/25/15, 6:00 AM
Advanced commands: > debug ike global on debug > less mp-log ikemgr.log > debug ike pcap on > view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap > debug ike pcap off If tunnels are up but traffic is not ing through the tunnel: Check security policy and/or routing Check if there is port address translating device in front of PAN that is translating port. ESP packets do not have ports number, it is a layer 3 protocol. When that device sees ESP packets without ports, it will drop it. Apply debug packet filters, captures or logs if necessary to isolate the issue where the traffic is getting dropped. owner: kprakash
14649 Views
Categories: VPN
Tags: vpn, ipsec, ike
Average Rating (22 ratings)
5 Comments MattJamison Nov 6, 2014 5:41 AM
@firewall> less mp-log ikemgr /var/log/pan/ikemgr: No such file or directory Any ideas? Trying to get a tunnel up between my PA-200 running 6.1 and a VYOS box, it seems like there is absolutely no traffic ing, even though if I remove the VYOS host from my allow vpn rule, i'm seeing lots of deny messages but once I allow, no more messages. Like (0)
jdelio Nov 6, 2014 1:04 PM (in response to MattJamison)
I am sorry, the documentation was off just slightly.. The command needs to read: > less mp-log ikemgr.log If ever in doubt, use "tab" as it will autocomplete via the CLI. Please try that and see if that provides you with any more information. https://live.paloaltonetworks.com/docs/DOC-3671
Page 3 of 4
3/25/15, 6:00 AM
All Places > Knowledge Base > Documents
How to Troubleshoot VPN Connectivity Issues
Version 8
created by kprakash on Aug 28, 2012 2:37 PM, last modified by panagent on Jan 15, 2015 6:25 PM
Phase 1 Try pinging the peer IP from the PA external interface. This is to rule out ISP related issues. Ensure that pings are enabled on the peers external interface If pings have been blocked per security requirements, check if the other peer is responding to the main/aggressive mode messages, or the DPDs (Check for the responses of the "Are you there?" messages from the peer in the system logs in the Monitor tab or under ikemgr logs) Check whether the ike identity is configured correctly Check if the policy is in place to permit IKE and IPSEC applications. Usually this policy is not required if there is no clean up rule configured on the box. If a clean-up rule is configured, the policy is configured usually from the external zone to the external zone. Check if proposals are correct (If incorrect, logs about the mismatch can be found under the system logs, or using the command less mp-log ikemgr Check if preshared key is correct (If incorrect, logs about the mismatch can be found under the system logs, or using the command less mp-log ikemgr Take packet captures to analyze the traffic. Use filters to narrow the scope of the captured traffic. Useful commands: > show vpn ike-sa gateway
Page 1 of 4
How to Troubleshoot VPN Connectivity Issues | Palo Alto Networks Live
3/25/15, 6:00 AM
Configuring packet filter and captures will restrict pcaps only to the one worked on, debug ike pcap on will show pcaps for all the vpn traffic. To check if NAT-T is enabled, packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode. Check if vendor id of the peer is ed on our box and vice-versa Phase 2 Check if the firewalls are negotiating the tunnels, and ensure that 2 unidirectional SPIs exist: > show vpn ipsec-sa > show vpn ipsec-sa tunnel
default
destination:
10.5.1.1
result:
interface tunnel.1
> show routing route
https://live.paloaltonetworks.com/docs/DOC-3671
Page 2 of 4
How to Troubleshoot VPN Connectivity Issues | Palo Alto Networks Live
3/25/15, 6:00 AM
Advanced commands: > debug ike global on debug > less mp-log ikemgr.log > debug ike pcap on > view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap > debug ike pcap off If tunnels are up but traffic is not ing through the tunnel: Check security policy and/or routing Check if there is port address translating device in front of PAN that is translating port. ESP packets do not have ports number, it is a layer 3 protocol. When that device sees ESP packets without ports, it will drop it. Apply debug packet filters, captures or logs if necessary to isolate the issue where the traffic is getting dropped. owner: kprakash
14649 Views
Categories: VPN
Tags: vpn, ipsec, ike
Average Rating (22 ratings)
5 Comments MattJamison Nov 6, 2014 5:41 AM
@firewall> less mp-log ikemgr /var/log/pan/ikemgr: No such file or directory Any ideas? Trying to get a tunnel up between my PA-200 running 6.1 and a VYOS box, it seems like there is absolutely no traffic ing, even though if I remove the VYOS host from my allow vpn rule, i'm seeing lots of deny messages but once I allow, no more messages. Like (0)
jdelio Nov 6, 2014 1:04 PM (in response to MattJamison)
I am sorry, the documentation was off just slightly.. The command needs to read: > less mp-log ikemgr.log If ever in doubt, use "tab" as it will autocomplete via the CLI. Please try that and see if that provides you with any more information. https://live.paloaltonetworks.com/docs/DOC-3671
Page 3 of 4
Related Documents 3h463d
Palo Alto Networks 1o4554
November 2019 57
Palo Alto Networks Vs Fortinet 474243
November 2019 61
Palo Alto - How To Configure Captive Portal 4zf1f
November 2019 60
Palo Alto Networks Vs Checkpoint App Blade 176l2e
November 2019 46
Palo Alto Networks Visio Index Sheet 443u30
November 2019 54
How To Setup Teamviewer Vpn 2u355h
November 2019 35More Documents from "Chau Nguyen" 4p5055
4p345f
October 2019 54
4p345f
May 2021 0
Setting A Service Route For Services To Use A D... i4j57
February 2022 0
Wildfire Data Sheet 1d2wp
December 2019 43
4p345f
October 2019 73