WRVS4400N and Palo Alto Netowrk Firewall

Posted on 2011-03-21
Last Modified: 2012-05-11
Hello Experts,
IN my main site I have a Palo Alto Netowrk Firewall (PAN) and in my branch site I have a WRVS4400N, I setup the VPN tunnel between the two sites, both sites are up. However I cannot ping the internal IP address of any of the sites, so from the main site I cannot ping the branch site and from the branch site I cannot ping the main site.
I allow ping on the firewall so I know this is not the problem, I have another VPN connection to a third site that works no problems.
In addition I cannot get to any internal sites from the new branch site.
the diffrences between branch site 1 (that works) and brachn 2 that does not work is that in branch 1 I also have a PAN.
Any idea what can be the problem?
Thank you
Question by:rfinaly
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 12

Expert Comment

ID: 35185460
The assumption I'm going on here is that both firewalls indicate that the VPN is up and functional. Is that correct?

Did you try pining step by step for all points in between?

That is, from a Branch client:


Ping BranchGW private IP


Ping BranchGW public IP


Ping MainGW public IP (however, your MainGW or firewall may block outside ICMP, so lost packets are not conclusive of anything here).


Ping MainGW private IP
Then from the main site try the opposite and post the results.

 - Tom

Author Comment

ID: 35185552
Thank you for your respond.
Yes the VPN tunnel are up, I can see that in the interface and in the logs of both firewalls.
From Branch site - I get no reply to any of my private IP's that's include the main IP.
I get reply to the public gateway and the public VPN IP I am using.

From Main site, I get no reply to the private IP of the branch site.
I do get reply when ping the public IP address for the branch site VPN tunnel. also get reply for the public gateway IP.

Author Comment

ID: 35185719
Also I would like to add that there is no DNS server in the branch site. Not sure if that will make any diffrences.
LVL 12

Accepted Solution

TomRScott earned 500 total points
ID: 35193841
Regarding DNS, if you are pinging addresses as opposed to host names, DNS does not matter.

Regarding the pinging itself, assuming you pinged by address and not host name, can you provide the responses, step by step, for the procedure below?

From a Branch site 2 computer:

1. Ping a local computer


2. Ping private [b]address[/b] of local gateway/firewall


3. Ping [b]private[/b] address of Main gateway/firewall


4. Ping computer in Main

From a Main site computer:

1. Ping a local computer


2. Ping private [b]address[/b] of local gateway/firewall


3. Ping [b]private[/b] address of Branch 2 gateway/firewall


4. Ping computer in Branch 2

I think I know what the results will be, but we should be absolutely sure.

Off hand, I would guess that you have one of three problems:

Either the Branch 2 firewall is not quite compatible with your PAN firewalls for site-to-site VPN links;
Or, routing is not setup correctly (a common issue, and where I think your issue lies);
Or, something else, yet to be determined in the VPN tunnel setup itself. Most likely, on the Branch 2 firewall.

Another question and a diagnostic to go with it:
Do you have ONLY ONE gateway at each site?

Specifically is the Branch 2 gateway/firewall the ONLY access outside of the local network?

From a command prompt, please enter the following commands, copy the output and post it.

route print
ipconfig /all

If you wish for security sake, change the third octet of the addresses in the output to "X"

 - Tom


Author Closing Comment

ID: 35226908
I was able to resolve the issue, it was Palo Alto Network Firewall that blocked the connection. I needed to create a policy and a NAT to the other side and everything start working. Thanks for helpping.

Featured Post

Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPsec VPN - which encryption? 5 79
SSL-VPN 1 90
Fortigate: access IPSEC remote site over ssl-vpn 4 21
What is weight in VIP (Vserver) in Netscalar? 2 29
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question