WRVS4400N and Palo Alto Netowrk Firewall

Posted on 2011-03-21
Last Modified: 2012-05-11
Hello Experts,
IN my main site I have a Palo Alto Netowrk Firewall (PAN) and in my branch site I have a WRVS4400N, I setup the VPN tunnel between the two sites, both sites are up. However I cannot ping the internal IP address of any of the sites, so from the main site I cannot ping the branch site and from the branch site I cannot ping the main site.
I allow ping on the firewall so I know this is not the problem, I have another VPN connection to a third site that works no problems.
In addition I cannot get to any internal sites from the new branch site.
the diffrences between branch site 1 (that works) and brachn 2 that does not work is that in branch 1 I also have a PAN.
Any idea what can be the problem?
Thank you
Question by:rfinaly
  • 3
  • 2
LVL 12

Expert Comment

ID: 35185460
The assumption I'm going on here is that both firewalls indicate that the VPN is up and functional. Is that correct?

Did you try pining step by step for all points in between?

That is, from a Branch client:


Ping BranchGW private IP


Ping BranchGW public IP


Ping MainGW public IP (however, your MainGW or firewall may block outside ICMP, so lost packets are not conclusive of anything here).


Ping MainGW private IP
Then from the main site try the opposite and post the results.

 - Tom

Author Comment

ID: 35185552
Thank you for your respond.
Yes the VPN tunnel are up, I can see that in the interface and in the logs of both firewalls.
From Branch site - I get no reply to any of my private IP's that's include the main IP.
I get reply to the public gateway and the public VPN IP I am using.

From Main site, I get no reply to the private IP of the branch site.
I do get reply when ping the public IP address for the branch site VPN tunnel. also get reply for the public gateway IP.

Author Comment

ID: 35185719
Also I would like to add that there is no DNS server in the branch site. Not sure if that will make any diffrences.
LVL 12

Accepted Solution

TomRScott earned 500 total points
ID: 35193841
Regarding DNS, if you are pinging addresses as opposed to host names, DNS does not matter.

Regarding the pinging itself, assuming you pinged by address and not host name, can you provide the responses, step by step, for the procedure below?

From a Branch site 2 computer:

1. Ping a local computer


2. Ping private [b]address[/b] of local gateway/firewall


3. Ping [b]private[/b] address of Main gateway/firewall


4. Ping computer in Main

From a Main site computer:

1. Ping a local computer


2. Ping private [b]address[/b] of local gateway/firewall


3. Ping [b]private[/b] address of Branch 2 gateway/firewall


4. Ping computer in Branch 2

I think I know what the results will be, but we should be absolutely sure.

Off hand, I would guess that you have one of three problems:

Either the Branch 2 firewall is not quite compatible with your PAN firewalls for site-to-site VPN links;
Or, routing is not setup correctly (a common issue, and where I think your issue lies);
Or, something else, yet to be determined in the VPN tunnel setup itself. Most likely, on the Branch 2 firewall.

Another question and a diagnostic to go with it:
Do you have ONLY ONE gateway at each site?

Specifically is the Branch 2 gateway/firewall the ONLY access outside of the local network?

From a command prompt, please enter the following commands, copy the output and post it.

route print
ipconfig /all

If you wish for security sake, change the third octet of the addresses in the output to "X"

 - Tom


Author Closing Comment

ID: 35226908
I was able to resolve the issue, it was Palo Alto Network Firewall that blocked the connection. I needed to create a policy and a NAT to the other side and everything start working. Thanks for helpping.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 103
iPad Won't Connect 16 74
ASA to pfsense IPSec site to site tunnel 17 46
Some issue on SecurityCRT 5 24
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now