https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249089#M515 <P>I've never seen any issue like that with our VM-Series firewalls. I don't deal with the Physical firewalls but the IPsec/IKE enginee should be the same.&nbsp;</P> <P>Have you tried clearing the tunnel and reestabling the IPsec tunnel? if so and that didn't resolve the issue I would suggest opening up a case with support.&nbsp;</P> Wed, 06 Feb 2019 22:08:19 GMT jperry1 2019-02-06T22:08:19Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249040#M510 <P>Hello,</P><P>We have a successful tunnels to our VPC and traffic is passing. We used the AWS downloaded cofing to guide us on the PAN side. Now when I change the ike and ipsec settings to different ciphers, say from aes128 to aes256 the tunnel stays up and is extablished but we cannot pass traffic.&nbsp;</P><P>&nbsp;</P><P>Anyone else run into this?</P><P>&nbsp;</P><P>Thanks in advance!</P> Wed, 06 Feb 2019 17:43:59 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249040#M510 OtakarKlier 2019-02-06T17:43:59Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249086#M513 <P>What version of PAN-OS software are you running on the firewall? is a it a VM-Series firewall or a physical firewall?</P> Wed, 06 Feb 2019 22:01:08 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249086#M513 jperry1 2019-02-06T22:01:08Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249087#M514 <P>On our side we are running a physical PAN with 8.0.14 code. On the AWS side its the built in AWS connectors.</P> Wed, 06 Feb 2019 22:02:37 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249087#M514 OtakarKlier 2019-02-06T22:02:37Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249089#M515 <P>I've never seen any issue like that with our VM-Series firewalls. I don't deal with the Physical firewalls but the IPsec/IKE enginee should be the same.&nbsp;</P> <P>Have you tried clearing the tunnel and reestabling the IPsec tunnel? if so and that didn't resolve the issue I would suggest opening up a case with support.&nbsp;</P> Wed, 06 Feb 2019 22:08:19 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249089#M515 jperry1 2019-02-06T22:08:19Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249265#M516 <P>Thanks for the suggestion. It didnt worl so I opened a support case. I'll post the solution when we find one.</P> Thu, 07 Feb 2019 16:38:33 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249265#M516 OtakarKlier 2019-02-07T16:38:33Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249266#M517 <P>Did you set proper MTU set on the tunnel? 1427&nbsp;</P> Thu, 07 Feb 2019 16:42:45 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249266#M517 hsong 2019-02-07T16:42:45Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249268#M518 <P>Yep as well as leaving it default. No Joy.</P> Thu, 07 Feb 2019 16:46:52 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249268#M518 OtakarKlier 2019-02-07T16:46:52Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249307#M519 <P>Ok so wierd settings, who knows where the real issue is since AWS is a blackbox.</P><P>&nbsp;</P><P>IKE settings:</P><P>These are OK as aes-256-cbc, sha256, DH group14</P><P>&nbsp;</P><P>IPsec settings:</P><P>aes-256-cbc, <STRONG>sha1</STRONG>, DH group 14.</P><P>&nbsp;</P><P>So it was the SHA version on the IPSec config that was causing the issues. Wont do sha256 but still estabilishes the tunnel.</P><P>&nbsp;</P><P>Gotta love interoperatability....</P> Thu, 07 Feb 2019 18:47:37 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-changing-aes-for-ike-and-ipsec-doesnt-allow-traffic-to-pass/m-p/249307#M519 OtakarKlier 2019-02-07T18:47:37Z