Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


WRVS4400N and Palo Alto Netowrk Firewall

Posted on 2011-03-21
Medium Priority
Last Modified: 2012-05-11
Hello Experts,
IN my main site I have a Palo Alto Netowrk Firewall (PAN) and in my branch site I have a WRVS4400N, I setup the VPN tunnel between the two sites, both sites are up. However I cannot ping the internal IP address of any of the sites, so from the main site I cannot ping the branch site and from the branch site I cannot ping the main site.
I allow ping on the firewall so I know this is not the problem, I have another VPN connection to a third site that works no problems.
In addition I cannot get to any internal sites from the new branch site.
the diffrences between branch site 1 (that works) and brachn 2 that does not work is that in branch 1 I also have a PAN.
Any idea what can be the problem?
Thank you
Question by:rfinaly
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 12

Expert Comment

ID: 35185460
The assumption I'm going on here is that both firewalls indicate that the VPN is up and functional. Is that correct?

Did you try pining step by step for all points in between?

That is, from a Branch client:


Ping BranchGW private IP


Ping BranchGW public IP


Ping MainGW public IP (however, your MainGW or firewall may block outside ICMP, so lost packets are not conclusive of anything here).


Ping MainGW private IP
Then from the main site try the opposite and post the results.

 - Tom

Author Comment

ID: 35185552
Thank you for your respond.
Yes the VPN tunnel are up, I can see that in the interface and in the logs of both firewalls.
From Branch site - I get no reply to any of my private IP's that's include the main IP.
I get reply to the public gateway and the public VPN IP I am using.

From Main site, I get no reply to the private IP of the branch site.
I do get reply when ping the public IP address for the branch site VPN tunnel. also get reply for the public gateway IP.

Author Comment

ID: 35185719
Also I would like to add that there is no DNS server in the branch site. Not sure if that will make any diffrences.
LVL 12

Accepted Solution

TomRScott earned 2000 total points
ID: 35193841
Regarding DNS, if you are pinging addresses as opposed to host names, DNS does not matter.

Regarding the pinging itself, assuming you pinged by address and not host name, can you provide the responses, step by step, for the procedure below?

From a Branch site 2 computer:

1. Ping a local computer


2. Ping private [b]address[/b] of local gateway/firewall


3. Ping [b]private[/b] address of Main gateway/firewall


4. Ping computer in Main

From a Main site computer:

1. Ping a local computer


2. Ping private [b]address[/b] of local gateway/firewall


3. Ping [b]private[/b] address of Branch 2 gateway/firewall


4. Ping computer in Branch 2

I think I know what the results will be, but we should be absolutely sure.

Off hand, I would guess that you have one of three problems:

Either the Branch 2 firewall is not quite compatible with your PAN firewalls for site-to-site VPN links;
Or, routing is not setup correctly (a common issue, and where I think your issue lies);
Or, something else, yet to be determined in the VPN tunnel setup itself. Most likely, on the Branch 2 firewall.

Another question and a diagnostic to go with it:
Do you have ONLY ONE gateway at each site?

Specifically is the Branch 2 gateway/firewall the ONLY access outside of the local network?

From a command prompt, please enter the following commands, copy the output and post it.

route print
ipconfig /all

If you wish for security sake, change the third octet of the addresses in the output to "X"

 - Tom


Author Closing Comment

ID: 35226908
I was able to resolve the issue, it was Palo Alto Network Firewall that blocked the connection. I needed to create a policy and a NAT to the other side and everything start working. Thanks for helpping.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question