1. VPN Tunnel not coming up Scenario: Your VPN tunnel is not coming up, preventing communication between the VPN peers. Solution: To troubleshoot this issue, you can use the command “show vpn ipsec-sa” to view the security associations (SA) for the VPN. This command will show the status of the SA and provide information on the encryption and authentication settings. Additionally, you can check the VPN logs by using the command “show log vpn” to identify any errors or issues that may be causing the VPN tunnel to fail. Verify the configurations on both peers and check for any mismatch in the configurations like pre-shared key, encryption, authentication etc.
  2. VPN Traffic not passing Scenario: Your VPN tunnel is up, but traffic is not passing through it. Solution: To troubleshoot this issue, you can use the command “show session all filter source [VPN peer IP]” to view the sessions for the VPN peer. This command will show the status of the sessions and provide information on the source and destination IP addresses, ports, and application. Additionally, you can check the VPN logs by using the command “show log vpn” to identify any errors or issues that may be causing the traffic to fail. Verify the routing and security rules on the firewall to ensure that traffic is allowed to pass through the VPN.
  3. VPN Phase-2 not coming up Scenario: Your VPN tunnel phase-1 is established but phase-2 is not coming up. Solution: To troubleshoot this issue, you can use the command “show vpn ipsec-sa” to view the security associations (SA) for the VPN. This command will show the status of the SA and provide information on the encryption and authentication settings for phase-1 and phase-2. Additionally, you can check the VPN logs by using the command “show log vpn” to identify any errors or issues that may be causing the VPN phase-2 to fail. Verify the configurations on both peers and check for any mismatch in the configurations like pre-shared key, encryption, authentication etc.
  4. High CPU usage on firewall Scenario: Your firewall is experiencing high CPU usage and you suspect it’s related to VPN. Solution: To troubleshoot this issue, you can use the command “show system resource” to view the CPU usage on the firewall. This command will show the overall CPU usage and provide information on the processes that are consuming the most resources. Additionally, you can check the VPN logs by using the command “show log vpn” to identify any errors or issues that may be causing high CPU usage. Verify the number of VPN tunnels and the encryption algorithms used, this can also cause high CPU usage.
  5. Intermittent VPN connectivity Scenario: Your VPN tunnel is experiencing intermittent connectivity, causing the VPN to drop and reconnect frequently. Solution: To troubleshoot this issue, you can use the command “show vpn ipsec-sa” to view the security associations (SA) for the VPN. This command will show the status of the SA and provide information on the encryption and authentication settings. Additionally, you can check the VPN logs by using the command “show log vpn” to identify any errors or issues that may be causing the VPN to drop and reconnect frequently. Verify the configurations on both peers and check for any mismatch in the configurations like pre-shared key, encryption, authentication etc. Also, check for any network issues between the peers that may be causing the intermittent connectivity.

Please note that the commands may vary based on the version of the firewall. It’s always recommended to check the Palo Alto documentation for the specific command usage and syntax.

Categories: Palo Alto