?
Solved

WRVS4400N and Palo Alto Netowrk Firewall

Posted on 2011-03-21
5
Medium Priority
?
1,038 Views
Last Modified: 2012-05-11
Hello Experts,
IN my main site I have a Palo Alto Netowrk Firewall (PAN) and in my branch site I have a WRVS4400N, I setup the VPN tunnel between the two sites, both sites are up. However I cannot ping the internal IP address of any of the sites, so from the main site I cannot ping the branch site and from the branch site I cannot ping the main site.
I allow ping on the firewall so I know this is not the problem, I have another VPN connection to a third site that works no problems.
In addition I cannot get to any internal sites from the new branch site.
the diffrences between branch site 1 (that works) and brachn 2 that does not work is that in branch 1 I also have a PAN.
Any idea what can be the problem?
Thank you
Roy
0
Comment
Question by:rfinaly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:TomRScott
ID: 35185460
The assumption I'm going on here is that both firewalls indicate that the VPN is up and functional. Is that correct?

Did you try pining step by step for all points in between?

That is, from a Branch client:

1

Ping BranchGW private IP

2

Ping BranchGW public IP

3

Ping MainGW public IP (however, your MainGW or firewall may block outside ICMP, so lost packets are not conclusive of anything here).

4

Ping MainGW private IP
Then from the main site try the opposite and post the results.

 - Tom
0
 

Author Comment

by:rfinaly
ID: 35185552
Thank you for your respond.
Yes the VPN tunnel are up, I can see that in the interface and in the logs of both firewalls.
From Branch site - I get no reply to any of my private IP's that's include the main IP.
I get reply to the public gateway and the public VPN IP I am using.

From Main site, I get no reply to the private IP of the branch site.
I do get reply when ping the public IP address for the branch site VPN tunnel. also get reply for the public gateway IP.
Thanks
Roy
0
 

Author Comment

by:rfinaly
ID: 35185719
Also I would like to add that there is no DNS server in the branch site. Not sure if that will make any diffrences.
Roy
0
 
LVL 12

Accepted Solution

by:
TomRScott earned 2000 total points
ID: 35193841
Regarding DNS, if you are pinging addresses as opposed to host names, DNS does not matter.

Regarding the pinging itself, assuming you pinged by address and not host name, can you provide the responses, step by step, for the procedure below?

From a Branch site 2 computer:

1. Ping a local computer

Result:

2. Ping private [b]address[/b] of local gateway/firewall

Result:

3. Ping [b]private[/b] address of Main gateway/firewall

Result:

4. Ping computer in Main

Result:
From a Main site computer:

1. Ping a local computer

Result:

2. Ping private [b]address[/b] of local gateway/firewall

Result:

3. Ping [b]private[/b] address of Branch 2 gateway/firewall

Result:

4. Ping computer in Branch 2

Result:
I think I know what the results will be, but we should be absolutely sure.

Off hand, I would guess that you have one of three problems:

Either the Branch 2 firewall is not quite compatible with your PAN firewalls for site-to-site VPN links;
Or, routing is not setup correctly (a common issue, and where I think your issue lies);
Or, something else, yet to be determined in the VPN tunnel setup itself. Most likely, on the Branch 2 firewall.

Another question and a diagnostic to go with it:
Do you have ONLY ONE gateway at each site?

Specifically is the Branch 2 gateway/firewall the ONLY access outside of the local network?

Diagnostic:
From a command prompt, please enter the following commands, copy the output and post it.

route print
ipconfig /all

If you wish for security sake, change the third octet of the addresses in the output to "X"

 - Tom

0
 

Author Closing Comment

by:rfinaly
ID: 35226908
Hello,
I was able to resolve the issue, it was Palo Alto Network Firewall that blocked the connection. I needed to create a policy and a NAT to the other side and everything start working. Thanks for helpping.
Roy
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question