Hey Andy

-is it domain or route based?

It is Route based

-sta or meshed community?

Meshed Community

-any NAT used?

The pure IP goes through the tunnel there is no NAT from my end.

K, so if its meshed, then no option to set any routing, which is fine, since every "entity" talks to one another, if you will. So, do you have super basic diagram of maybe example of an IP thats fialing? Just scramble something on a piece of paper and take a picture and upload it, not an issue, just blur out any sensitive data.

Did you try ip r g command with an IP address in question to make sure it uses correct route? example ip r g 8.8.8.8

What about simple zdebug and also basic vpn debug?

vpn debug trunc

vpn debug ikeon

-generate some traffic for 1 minute (ping)

vpn debug ikeoff

fw ctl debug 0 (to turn off debugs)

Look for vpnd* and ike* files in $FWDIR/log dir

Best,

Andy

Andy, does this debug commands create some issue because it is a production environment if the debug command needs maintenance window kindly please let me know.

I had done it probably more than 100 times, never had an issue. Those are super light and I know people sometimes leave them on for 2 weeks and its fine. If you want to be super careful and do it after hours, thats your choice, but personally, I never had any issues, even in production.

Andy

@Ihenock1011 Were you able to run the debug mate?

Andy

After discussing with the partner, they informed me that their endpoint machine is behind a NAT device. When traffic reaches the peer IP, which is also their machine's public IP, it will be translated and forwarded to their internal host. As I understand it, IPSec might not function correctly in this scenario. Both machines behind the peer IP should ideally be configured as they are while traversing the tunnel. Is there a workaround for this situation?

Did you make sure NAT is NOT disabled inside vpn community? Also, do you have simple diagram that would illustrate this scenario?

Andy

Inside VPN community I checked on the advanced tab disable NAT b/n communities. I will attach the free sketch of network topology removing sensitive information

That could be the issue then, because you need nat, so that option should not be ticked.

Andy

Okay then let me check that way and I will Update you.

Sounds good, let us know how it goes.

Andy

I tried the enable and disable NAT it doesnt give me a solution.

after the debug I get the two outputs from the vpnd.elg file

TSPayload::constructRelevantTS: checking relevancy of range: "Partners Peer IP x.x.x.x"
TSPayload::isRelevantTS_ipv4 : range  is outside of TS range "Partners Peer IP x.x.x.x". TS range is not relevant.

Sounds like vpn domain issue...

what does it mean Andy?

It would appear something with phase 2 is not matching. Based on that message, most likely vpn enc domains.

Thank you @Zolocofxp for that, but im FAR from being a master lol

But yes, I agree with your assesment, definitely phase 2 issue.

Andy