Re: traffic only flows in one direction through routed based VPN between srx and paloalto

I changed configiuration according your sugesstion, please see it , but the issue still there.  I can remote desktop to clients behind paloalto but can't do any conection to ip behind srx. srx100 hundred is in branch and paloalto is in HQ.

If i ping from dns server to client behind srx it won't complete see the results.

C:\Users\administrator.MPP>ping 172.30.10.4

Pinging 172.30.10.4 with 32 bytes of data

Request timed out.

and tracert results

C:\Users\administrator.MPP>tracert 172.30.10.4

 

Tracing route to 172.30.10.4 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  palo.mpp.in [172.16.0.240]

2    28 ms    28 ms    27 ms  10.0.0.3

3     *        *        *     Request timed out.

 

It reaches the sto.0 interface Ip and then drops but if ping gateway of lan interface that is 172.16.10.1 it succeed, see below tracert and ping results

Tracing route to 172.30.10.1 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  palo.mpp.in[172.16.0.240]

 2    38 ms    39 ms    38 ms  172.30.10.1

Pinging 172.30.10.1 with 32 bytes of data:

Reply from 172.30.10.1: bytes=32 time=38ms TTL=63

Please see the configuration below.

set version 12.1X46-D86
set system host-name Kochi-TV
set system services ssh
set system services web-management http interface vlan.0
set system services dhcp pool 172.30.10.32/27 address-range low 172.30.10.34
set system services dhcp pool 172.30.10.32/27 address-range high 172.30.10.61
set system services dhcp pool 172.30.10.32/27 default-lease-time 14400
set system services dhcp pool 172.30.10.32/27 name-server 172.16.0.130
set system services dhcp pool 172.30.10.32/27 name-server 8.8.8.8
set system services dhcp pool 172.30.10.32/27 router 172.30.10.33
set system services dhcp pool 172.30.10.64/27 address-range low 172.30.10.66
set system services dhcp pool 172.30.10.64/27 address-range high 172.30.10.94
set system services dhcp pool 172.30.10.64/27 default-lease-time 3600
set system services dhcp pool 172.30.10.64/27 name-server 172.16.0.130
set system services dhcp pool 172.30.10.64/27 name-server 8.8.8.8
set system services dhcp pool 172.30.10.64/27 router 172.30.10.65
set system services dhcp pool 172.30.10.0/27 address-range low 172.30.10.4
set system services dhcp pool 172.30.10.0/27 address-range high 172.30.10.30
set system services dhcp pool 172.30.10.0/27 default-lease-time 3600
set system services dhcp pool 172.30.10.0/27 name-server 172.16.0.130
set system services dhcp pool 172.30.10.0/27 name-server 202.88.231.2
set system services dhcp pool 172.30.10.0/27 router 172.30.10.1
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 6
set interfaces fe-0/0/0 unit 0 family inet address 234.223.54.5/22
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members Corporate
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 10.0.0.3/24
set interfaces vlan unit 0 family inet address 172.30.10.1/27
set interfaces vlan unit 10 family inet address 172.30.10.33/27
set interfaces vlan unit 20 family inet address 172.30.10.65/27
set routing-options static route 0.0.0.0/0 next-hop 234.223.65.2
set routing-options static route 172.16.0.130/32 next-hop st0.0
set routing-options static route 172.16.0.240/32 next-hop st0.0
set routing-options static route 172.16.3.52/32 next-hop st0.0
set routing-options static route 172.16.0.135/32 next-hop st0.0
set security ike policy asianet mode main
set security ike policy asianet proposal-set standard
set security ike policy asianet pre-shared-key ascii-text "$9$Uyj.PTz39tuQzylvWx7"
set security ike gateway ike-asianet ike-policy asianet
set security ike gateway ike-asianet address 65.23.78.56
set security ike gateway ike-asianet external-interface fe-0/0/0
set security ipsec policy asianetvpn proposal-set standard
set security ipsec vpn ike-asianet bind-interface st0.0
set security ipsec vpn ike-asianet ike gateway ike-asianet
set security ipsec vpn ike-asianet ike ipsec-policy asianetvpn
set security ipsec vpn ike-asianet establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set no-nat-vpn from zone lan
set security nat source rule-set no-nat-vpn to zone vpn
set security nat source rule-set no-nat-vpn rule no-nat1 match source-address 0.0.0.0/0
set security nat source rule-set no-nat-vpn rule no-nat1 match destination-address 0.0.0.0/0
set security nat source rule-set no-nat-vpn rule no-nat1 then source-nat off
set security nat source rule-set source-nat from zone lan
set security nat source rule-set source-nat to zone untrust
set security nat source rule-set no-nat-vpn rule no-nat match source-address 172.30.10.0/24
set security nat source rule-set no-nat-vpn rule no-nat match destination-address 172.16.0.0/16
set security nat source rule-set no-nat-vpn rule no-nat then source-nat off

set security nat source rule-set source-nat rule source-nat match source-address 172.30.10.0/24
set security nat source rule-set source-nat rule source-nat then source-nat interface
set security policies from-zone lan to-zone untrust policy lan-to-untrust match source-address any
set security policies from-zone lan to-zone untrust policy lan-to-untrust match destination-address any
set security policies from-zone lan to-zone untrust policy lan-to-untrust match application any
set security policies from-zone lan to-zone untrust policy lan-to-untrust then permit
set security policies from-zone lan to-zone lan policy lan-to-lan match source-address any
set security policies from-zone lan to-zone lan policy lan-to-lan match destination-address any
set security policies from-zone lan to-zone lan policy lan-to-lan match application any
set security policies from-zone lan to-zone lan policy lan-to-lan then permit
set security policies from-zone vpn to-zone lan policy vpn-lan match source-address any
set security policies from-zone vpn to-zone lan policy vpn-lan match destination-address any
set security policies from-zone vpn to-zone lan policy vpn-lan match application any
set security policies from-zone vpn to-zone lan policy vpn-lan then permit
set security policies from-zone lan to-zone vpn policy lan-vpn match source-address any
set security policies from-zone lan to-zone vpn policy lan-vpn match destination-address any
set security policies from-zone lan to-zone vpn policy lan-vpn match application any
set security policies from-zone lan to-zone vpn policy lan-vpn then permit
set security zones security-zone lan host-inbound-traffic system-services ping
set security zones security-zone lan host-inbound-traffic system-services ssh
set security zones security-zone lan host-inbound-traffic system-services snmp
set security zones security-zone lan host-inbound-traffic system-services http
set security zones security-zone lan host-inbound-traffic system-services all
set security zones security-zone lan host-inbound-traffic system-services snmp-trap
set security zones security-zone lan host-inbound-traffic protocols pim
set security zones security-zone lan host-inbound-traffic protocols all
set security zones security-zone lan interfaces vlan.0 host-inbound-traffic system-services dhcp
set security zones security-zone lan interfaces vlan.0 host-inbound-traffic system-services all
set security zones security-zone lan interfaces vlan.10 host-inbound-traffic system-services dhcp
set security zones security-zone lan interfaces vlan.20 host-inbound-traffic system-services dhcp
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0
set vlans Corporate vlan-id 5
set vlans Corporate l3-interface vlan.0
set vlans Guest vlan-id 10
set vlans Guest l3-interface vlan.10
set vlans Phone vlan-id 20
set vlans Phone l3-interface vlan.20

One more observation is if I remove the nat rule everything works without any issue, but internet won't work as there is no source nat rule. I tried to send all traffic including interenet to our HQ through tunnel and it is also working without any issue, but getting slow bandwith.

It will be really helpful if you can help me, I am out of options here.