WRVS4400N and Palo Alto Netowrk Firewall

Posted on 2011-03-21
Last Modified: 2012-05-11
Hello Experts,
IN my main site I have a Palo Alto Netowrk Firewall (PAN) and in my branch site I have a WRVS4400N, I setup the VPN tunnel between the two sites, both sites are up. However I cannot ping the internal IP address of any of the sites, so from the main site I cannot ping the branch site and from the branch site I cannot ping the main site.
I allow ping on the firewall so I know this is not the problem, I have another VPN connection to a third site that works no problems.
In addition I cannot get to any internal sites from the new branch site.
the diffrences between branch site 1 (that works) and brachn 2 that does not work is that in branch 1 I also have a PAN.
Any idea what can be the problem?
Thank you
Question by:rfinaly
  • 3
  • 2
LVL 12

Expert Comment

ID: 35185460
The assumption I'm going on here is that both firewalls indicate that the VPN is up and functional. Is that correct?

Did you try pining step by step for all points in between?

That is, from a Branch client:


Ping BranchGW private IP


Ping BranchGW public IP


Ping MainGW public IP (however, your MainGW or firewall may block outside ICMP, so lost packets are not conclusive of anything here).


Ping MainGW private IP
Then from the main site try the opposite and post the results.

 - Tom

Author Comment

ID: 35185552
Thank you for your respond.
Yes the VPN tunnel are up, I can see that in the interface and in the logs of both firewalls.
From Branch site - I get no reply to any of my private IP's that's include the main IP.
I get reply to the public gateway and the public VPN IP I am using.

From Main site, I get no reply to the private IP of the branch site.
I do get reply when ping the public IP address for the branch site VPN tunnel. also get reply for the public gateway IP.

Author Comment

ID: 35185719
Also I would like to add that there is no DNS server in the branch site. Not sure if that will make any diffrences.
LVL 12

Accepted Solution

TomRScott earned 500 total points
ID: 35193841
Regarding DNS, if you are pinging addresses as opposed to host names, DNS does not matter.

Regarding the pinging itself, assuming you pinged by address and not host name, can you provide the responses, step by step, for the procedure below?

From a Branch site 2 computer:

1. Ping a local computer


2. Ping private [b]address[/b] of local gateway/firewall


3. Ping [b]private[/b] address of Main gateway/firewall


4. Ping computer in Main

From a Main site computer:

1. Ping a local computer


2. Ping private [b]address[/b] of local gateway/firewall


3. Ping [b]private[/b] address of Branch 2 gateway/firewall


4. Ping computer in Branch 2

I think I know what the results will be, but we should be absolutely sure.

Off hand, I would guess that you have one of three problems:

Either the Branch 2 firewall is not quite compatible with your PAN firewalls for site-to-site VPN links;
Or, routing is not setup correctly (a common issue, and where I think your issue lies);
Or, something else, yet to be determined in the VPN tunnel setup itself. Most likely, on the Branch 2 firewall.

Another question and a diagnostic to go with it:
Do you have ONLY ONE gateway at each site?

Specifically is the Branch 2 gateway/firewall the ONLY access outside of the local network?

From a command prompt, please enter the following commands, copy the output and post it.

route print
ipconfig /all

If you wish for security sake, change the third octet of the addresses in the output to "X"

 - Tom


Author Closing Comment

ID: 35226908
I was able to resolve the issue, it was Palo Alto Network Firewall that blocked the connection. I needed to create a policy and a NAT to the other side and everything start working. Thanks for helpping.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telepresence on backup 3 33
How VPC help preventing STP Loops 4 132
How to Create Separate Guest WiFi VLAN on Netgear R8000 19 94
VPN Connection WIndows 10 5 62
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question