05-20-2015 10:05 AM - last edited on 03-25-2019 03:44 PM by ciscomoderator
I have create a IPsec tunnel between a cisco router and Palo Alto firewall I am dropping significant packet on the tunnel however going to the gig interface 0/0 no packet loss how can I resolve this issue.
interface Tunnel1
description GRE/IPSEC Tunnel to Duluth,Ga
ip unnumbered Loopback0
ip mtu 1428
ip tcp adjust-mss 1388
tunnel source GigabitEthernet0/0
tunnel destination 209.60.243.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile Aberdeen
05-21-2015 10:29 AM
Hello,
To isolate the issue, we could follow the below steps.
1. remove the IPSec config from the tunnel and ping tunnel destination IP taking tunnel source as source IP
a. If there are any drops, trace the tunnel destination IP taking tunnel source as tunnel source.
b. Ping each hop in the trace path taking tunnel source as tunnel source.
c. This will identify the hop for which the drops start first and accordingly find if there is any issue in any link in the path.
d. Same needs to be checked for the reverse trace until we identify the hop.
2. If the packet drops gets resolved after removing the IPSec configuration it means there is some issue with the IPSec config.
Let me know once you perform the Step 1.
Thanks,
Mohit
05-28-2015 03:44 AM
Good Day Mohit,
thank you for your response we figured out the issue we change the dead peer timer on the Palo Alto firewall and it resolve the issue. the Palo Alto was constantly rekeying the ISAKMP SA we increase the Dead Peer Interval retry's to 100 to resolve the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide