i can not ping a tunnel source interface(normal physical interface)

tam chun chung · ‎10-31-2022

i tried to link up 2 network machines, Cisco Router and Palo Alto Firewall with pbr but failed

Here is my testing considering.

・Cisco :

　・int 0 : vlan 99 :192.168.99.254/24
　・int f8 :10.10.10.1/24
　・int tunnel 1 (route-based ipsec) :192.168.1.1/24, source:10.10.10.1, destination:　10.10.10.2

ip route 0.0.0.0 0.0.0.0 tunnel 1

Palo :
　・int f7 :192.168.10.254/24
　・int f8 :10.10.10.2/24
　・int tunnel 1 (route-based ipsec) :192.168.1.2/24, source:10.10.10.2, destination:　10.10.10.1

policy any any any

routing:
192.168.99.0/24 via tunnel 1

both tunnel and ipsec auth status is up.

pc (192.168.10.1)
to 192.168.10.254 ok
to 10.10.10.2 ok
to 10.10.10.1 ng
to 192.168.1.2 ok
to 192.168.1.1 ok
to 192.168.99.254 ok
to pc(192.168.99.1) ok

i wanna test some function
i tried to add a pbr profile to my palo,
if the source is from 192.168.99.0/24 (lan) to 192.168.99.0/24(lan), wont be via ipsec tunnel,
directly go to 10.10.10.1 from 10.10.10.2
but all the return from cisco will go via ipsec tunnel

but failed

why i cant ping the original source address?

Georg Pauwen · ‎11-01-2022

Hello,

can you post the full configs of both devices ?