Contents x
- Quick Start
- Managing Harmony SASE
- Private Access (ZTNA)
- Networks
- Network Overview
- Creating a Network
- Regions and Points-of-Presence
- Private and Shared Gateways
- Connect Infrastructure
- Site-to-Site connection overview
- Prerequisites
- OpenVPN Tunnel
- Dynamic-IP Tunnels
- IPsec Connection Overview
- Wireguard Connector Overview
- Cloud-Base
- On-Prem
- Connect On-Prem Resources
- Firewalls
- Barracuda
- Check Point
- Cisco Firepower Updated
- Configuring Check Point Cluster VIP Redundant IPsec Tunnel Updated
- Configuring Check Point Redundant IPsec Tunnel
- FortiGate
- Zyxel USG
- Palo Alto
- PfSense
- SonicWall
- Sophos XG
- UniFi USG
- WatchGuard
- Juniper (ScreenOS)
- Juniper (JunOS) SRX
- Cisco ASA (Route Based)
- Routers
- Advanced Network Settings
- Cloud Firewall
- Agentless Applications
- Device Posture Check (DPC)
- Objects Library
- Networks
- Internet Access (SWG)
- Users and Groups
- Member Roles and Permissions
- Managing Groups
- Users Profiles
- Managing User Access
- P81 User Name and Password
- Password Requirements
- Identity Providers (IdP)
- SAML 2.0
- G Suite
- Azure AD
- Microsoft Entra ID (formerly Azure Active Directory) (SAML 2.0)
- Microsoft Entra ID (formerly Azure Active Directory) (Enterprise Application)
- Microsoft Entra ID (formerly Azure Active Directory) (App Registration) Updated
- Microsoft Entra ID (formerly Azure Active Directory) (App Registration) Migration to Microsoft Graph
- SCIM
- Microsoft Entra ID (formerly Azure Active Directory) (SCIM) Updated
- On-Premises Active Directory
- Multi Factor Authentication
- SaaS API
- Private Access (ZTNA)
- Reporting & Analytics
- Agents
- API
- User Guides
- Unblocking User Accounts
- Generating a Sign-Out Code
- Reclaim Access after an IdP Lock
- Reset 2FA
- Deactivate 2FA
- Set Network Icon
- End User Instructions
- Installing Harmony SASE on Android devices (Android/Chromebook)
- Monitor Activity
- Onboarding the Infinity Portal
- Tracking the Billing
- Troubleshooting
- IPSec Troubleshooting
- Support Access
- Finding Your IP Address
- .HAR File
- Check Location and Language for Accurate Google Search Results
- Change your PC or Mac DNS Settings
- Page not loading? Perimeter 81's browsing and remote access troubleshooting guide
- Can't connect? Harmony SASE's Internet Connection Troubleshooting Guide
- How to collect logs
- Product Walkthrough Webinars
- How To
- Removing the Wireguard Connector
- Segmenting Networks
- Activate or Deactivate your Gateway
- Interconnectivity (Cloud-Agnostic)
- Uploading Tunnel Configuration Files
- Google Cloud VPC peering
- Google Cloud DNS
- AWS Route 53 DNS
- Certificate Manager Updated
- Whitelisting Resources
- manage member devices
- JAMF Cloud
- Routes Table
- Managed Service Providers (MSP)
- Release Notes
- Copyrights Notices
- FAQ
IPSec Troubleshooting
- 30 Jan 2024
- 2 Minutes to read
- Contributors
Contents
IPSec Troubleshooting
- Updated on 30 Jan 2024
- 2 Minutes to read
- Contributors
Article summary
Did you find this summary helpful?
Thank you for your feedback
The following guide presents a methodical way through which you'll be able to self diagnose and resolve some of the common errors encountered when setting up an IPSec site-to-site connection.
Examining the logs from your router/firewall
The most important tool that can assist you in analyzing networking issues is of course the logs derived from the edge device (your firewall or router).
We highly recommend exporting it and looking for errors and for details related to the topics mentioned below for an optimized workflow.
We highly recommend exporting it and looking for errors and for details related to the topics mentioned below for an optimized workflow.
The console indicates the tunnel is down
Mismatched Parameters
Every site-to-site connection depends on filling in the above fields with the exact same values in both the Harmony SASE Management Platform AND your firewall/router Management Interface. A mismatch that occurs between any of these would prevent the tunnel from establishing, so your very first step should be making sure that they are absolutely identical in both platforms. When filling in IKE Mode choose Main Mode (aggressive mode is not supported).
In addition to these steps, it is important to verify that you've entered the same shared secret (sometimes referred to as PSK) on both platforms.
Network Addresses
Another common error may occur due to confusing terminology used to describe the different addresses involved in the process of a tunnel establishing.
When filling in the parameters in the Harmony SASE platform:
- Public IP/Remote ID refers to the public IP address through which your on-premises network/VPC connects to the internet.
- Harmony SASE Gateway Proposal Subnet refers to your Harmony SASE subnet (in CIDR notation). This value must be identical to the value set as Remote Subnet in your router/FW/IaaS platform, therefore if you choose to set it to 0.0.0.0/0 on one platform you must set on the other.
- Remote Gateway Proposal Subnet refers to your on-premises/cloud network subnet (in CIDR notation). This value must be identical to the value set as Local Subnet in your router/FW/IaaS platform, therefore if you choose to set it to 0.0.0.0/0 on one platform you must set it to the same on the other.
Important
Unless specified differently in our designated guide, we recommend setting up the exact address range and not 0.0.0.0/0 (any).
The console indicates the tunnel is up, but I am still unable to access internal resources
Route Table
While some router/firewall interfaces automatically adjust the route table upon the creation of a tunnel, others do not. Make sure you have an inbound rule allowing traffic from your Harmony SASE subnet to your internal network, as well as an outbound rule allowing traffic from your internal network to the Harmony SASE subnet.
Firewall Rules/Security Group
- IPSec based connections utilize the following ports: UDP 4500; UDP 500.
Make sure that these are open for both inbound and outbound traffic. - Check your current firewall rules/the security group associated with the resource that you're trying to reach, and verify that no rules prevent access to it. Rules hierarchy may also affect this.
Subnets
A subnet overlap would interfere with traffic flow.
Make sure that:
- Your Harmony SASE address range does not overlap with a subnet within your VPC/internal network.
- Each branch within the VPC/on-premises network has its own unique subnet.
Was this article helpful?
Thank you for your feedback! Our team will get back to you
How can we improve this article?
Your feedback
Comment
Comment (Optional)
Character limit : 500
Please enter your comment
Email (Optional)
Email
Please enter a valid email
