https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43230#M31709 <HTML><HEAD></HEAD><BODY><P>Message =</P><P>IKE phase-1 negotiation is succeeded as initiator, main mode. Established SA:</P><P>IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA:</P><P>IKE protocol notification message received: INVALID-ID-INFORMATION (18). </P></BODY></HTML> Wed, 02 Mar 2011 21:01:53 GMT LCMember1607 2011-03-02T21:01:53Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43230#M31709 <HTML><HEAD></HEAD><BODY><P>Message =</P><P>IKE phase-1 negotiation is succeeded as initiator, main mode. Established SA:</P><P>IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA:</P><P>IKE protocol notification message received: INVALID-ID-INFORMATION (18). </P></BODY></HTML> Wed, 02 Mar 2011 21:01:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43230#M31709 LCMember1607 2011-03-02T21:01:53Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43231#M31710 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Confirm we have the correct local and remote proxy Id's from the ASA configured on the PAN. <BR />If we can get the tunnel to be initiated from the ASA the PAN system logs should give us more detail as to the configuration option we need to adjust.</P><P></P><P>*Proxy id's are needed when building a tunnel to other devices that use policy based VPN, we use route based vpn's</P><P></P><P>*There would have to be a proxy id entry for each network</P><P></P><P>Here's an example of PAN to ISA config:</P><P></P><P><A class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1328">https://live.paloaltonetworks.com/docs/DOC-1328</A></P><P></P><P></P><P>-Renato&nbsp;&nbsp;&nbsp; </P></BODY></HTML> Wed, 02 Mar 2011 21:53:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43231#M31710 gswcowboy 2011-03-02T21:53:48Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43232#M31711 <HTML><HEAD></HEAD><BODY><P>Also, get the ASA5505 administrator to confirm he hasn't done soemthing "funky' with the tunnel name.</P><P></P><P>There's a "feature" in Cisco firewalls which require the tunnel ID ont he PIX/ASA to be the IP address of the remote end - just the IP address, *not* a name or anything else - or else phase 2 fails.</P><P></P><P>This one bit me in the backside badly in a past life.</P><P></P><P>Cheers.</P></BODY></HTML> Wed, 02 Mar 2011 22:03:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43232#M31711 dagibbs 2011-03-02T22:03:23Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43233#M31712 <HTML><HEAD></HEAD><BODY><P>I have found in previous tests I need to set the exchange mode to aggressive mode.</P><P>Then, even though aggressive mode expects the IP address as the authentication, Cisco will send an FQDN instead.</P><P></P><P>This command might give you some more info :</P><P>less mp-log ikemgr.log (see whole log)</P><P>tail mp-log ikemgr.log (go to end of log)</P><P>tail follow yes mp-log ikemgr.log (show log in real time)</P><P></P><P>There are further CLI commands to check the VPN status in the VPN config/tech note docs.</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Wed, 02 Mar 2011 22:31:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43233#M31712 James 2011-03-02T22:31:30Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43234#M31713 <HTML><HEAD></HEAD><BODY><P>Thanks, I set up the proxies and the tunnel is up.</P><P></P><P>Now I think I may have a nat issue.</P><P></P><P>Any NAT configs on hand for asa&lt;-&gt;pan?</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 03 Mar 2011 19:53:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43234#M31713 LCMember1607 2011-03-03T19:53:32Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43235#M31714 <HTML><HEAD></HEAD><BODY><P> Hi Bill,</P><P>How did you set up the proxies? I got the same error between PAN4020 and ASA5510</P><P>Thanks.</P><P></P><P>Leo</P><P><A href="mailto:lle@socccd.edu">lle@socccd.edu</A></P></BODY></HTML> Wed, 28 Sep 2011 16:20:43 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43235#M31714 leole 2011-09-28T16:20:43Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43236#M31715 <HTML><HEAD></HEAD><BODY><P>IPSec tunnel.</P><P>Show advanced options</P><P>select the correct IKE Gateway, under IPSec Crypto Profile add a Proxy ID with the Local ID&nbsp; being either a subnet or device IP that you are allowing access to on the PAN side and a Remote ID being either a subnet or device IP on the ASA side.</P></BODY></HTML> Wed, 28 Sep 2011 16:37:28 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43236#M31715 LCMember1607 2011-09-28T16:37:28Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43237#M31716 <HTML><HEAD></HEAD><BODY><P>FYI</P><P></P><P></P><P>There's limit of 10 Proxy per tunnel.</P></BODY></HTML> Thu, 29 Sep 2011 13:36:13 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43237#M31716 friento 2011-09-29T13:36:13Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43238#M31717 <HTML><HEAD></HEAD><BODY><P>Thank you&nbsp; Bill,</P><P>It works for me.</P><P></P><P>Leo</P></BODY></HTML> Thu, 29 Sep 2011 17:21:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-failing-with-an-asa5505/m-p/43238#M31717 leole 2011-09-29T17:21:09Z