Hey Guys,
Looking for anywhere to look that I may have missed with this one.
I have an IPSec Mesh VPN setup using multiple PAN devices.
SIte A as an example is a single virtual sys, single virtual router,
Site B is the problem site, which has 2 virtual routers on a single virtual sys.
OSF-PHQ works, running on one virtual router 1.
OSF-DMZ works for 1 packet, and then stops working.
Every time I run a "test vpn ike-sa gateway DMZ-OSF", ping packets work for a single packet.
You can see from the sequence number how it wasnt working between 11:10:02 (seq 78) , and 11:45:23 (seq 2150)
There are additional PA firewalls between the DMZ->OSF and PHQ->OSF, however there are no blocks shown on these firewalls. Whenever I run the "test vpn ike-sa gateway DMZ-OSF", I can see the ESP traffic on the firewall in between, which is all allowed.
This Mesh VPN was running previously using a Checkpoint Community VPN and no firewall rules/routing was changed. No blocks being seen, etc.
DH groups, keys have been checked. We have tried different authentication types, DH groups, IPSec crypto suites, etc..
There is no Maximum Lifesize set on the tunnels
We have static routes configured.
Running a test shows the correct tunnel interface on both ends.
I am at a complete loss in terms of what else we can check. I am waiting for a response from PA support, but just in case anyone here has seen similar behaviour, I thought I'd ask.
Cheers
First off, are you running ikev1 or 2 (if 2, try 1)
Do you have overlapping IP subnets on either side (A-B), or between the two ike gws on site B
have you set up packet-diag filters already and examined the global counters to see if anything 'fishy' popped up ?
debug dataplane packet-diag set filter match source x.x.x.x destination y.y.y.y debug dataplane packet-diag set filter match source y.y.y.y destination x.x.x.x debug dataplane packet-diag set filter on show counter global filter delta yes packet-filter yes <run that last command a few times during testing)