Hi Guys,
I have 81 ASAs I need to S2S VPN into a Palo Alto VM500 in Azure. Tunnel comes up, and pings work, but there is a lot of packet loss. This is not an ISP issue, as I’ve tested it from several sites. The packet loss varies; Some sites drop 30% of all packets from the ASA, while others drop 3 packets in a row, almost in a pattern, for every 100 or so successful packets. Am I doing something wrong here or do ASAs just not work well VPN’d to Palos? I am using IKEv2 and have tried numerous phase 1 and phase 2 settings. Nat Traversal is enabled, but nothing stabilizes the packet loss. Conversely, my branches on physical PA-440s can connect to the VM 500 without any problems and I don’t drop any packets ever. Do I need to run IKEv1 or something or is this just a janky design and I need to replace the ASAs in the field with Palos?
What’s the MTU settings look like?
You can try putting an LB in front of the palo. Palo has some best practice designs that call for LB in a lot of cases. I never tried it with vpn but it should be fairly straightforward to set up and test.
any pcaps?
ASA’s and PA’s can play nice but it takes a little extra love. Make sure you are utilizing proxy ID’S and that you have return routes on both sides. Very likely missing a return route somewhere. Have you checked system logs on the Palo? Usually give you an idea of where your issue is. In my experience, usually ends up being a phase 2 mismatch.
This Cisco ASA has supported tunnel protection mode with VTI (virtual tunnel interfaces) for over 6 years. It allows the use of route based VPN instead of the default policy based VPN. With route based VPN proxy IDs are not required:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/vpn/asa-912-vpn-config/vpn-vti.html
BGP is the only protocol supported. Once implemented NAT bypass is not required, just use ACLs and the BGP configuration to control traffic.
I have been using this for years and it works really well.