Site to Site VPN issue (Palo Alto to Cisco ASA)

scaredoftests

Wondering if anyone has had experience with this issue. We have been trying to set up a VPN (site to site) from a Palo Alto to a Cisco ASA. The tunnel is up but we can't ping externally to off-site. We have the policies in place. We are scratching our heads... any advice?

Welly_59

Can you ping the tunnel endpoint?

Iristheangel

@Welly - there's no tunnel like a tunnel interface. They can test IP reachability from the physical interface point of view for the outside interface but that's it.

I can't help from a PAN point of view but how do the proxy IDs look on the ASA? You didn't send blanket 0.0.0.0/0 proxy IDs over, did you? Are the subnets that are being shared looking good? Did both ISAKMP and IPSec come up correctly? Have you done a debug of the both for the tunnel? Have you enabled logging on the ASA and checked what's happening?

scaredoftests

We don't have access to the ASA. It is at another site.
Our IPsec tunnel is up. We used to be able to ping their external network . Last week that all changed and we can't ping them. the people who we need to talk to were on vacation all week. Now, we can't ping and it just hangs. I contacted Palo Alto and they said if our tunnel is up, then it is on the ASA side. I guess we will find out Tuesday when we are all back from the holiday...

bhcs2014

Why are you trying to ping their external network? In order to test tunnel connectivity you should try to connect from your private subnet to the remote subnet on the ASA's end. Ping may not work if ICMP inspection is turned off on the ASA end. Can you try to RDP or http/https page on the remote subnet?

scaredoftests

The ASA end had ACLs that were blocking us. We can ping each other.