topic Re: Site to Site VPN with error Failed SA in General Topics

Site to Site VPN with error Failed SA

MohamedSharief — Thu, 22 Dec 2016 12:55:25 GMT

Hi,

We have configured a site to site vpn between palo alto and cisco ASA. However, both sites are static and PA is the intiator, ACL is configured properly on Cisco side but I got the error:

"IKE Phase-2 negotiation is failed as initiator, quick mode, Failed SA: 213.42.x.x [4500] - 185.141.x.x [4500] message id:xxxxx. Due to negotiation timeout".

Proxy IDs on PA is:- Local: 10.12.20.11 Remote: 192.168.248.215

ACL on Cisco: access-list TEST extended permit ip object NETWORK_OBJ_192.168.248.215 object TEST_OBJECT

Where TEST_OBJECT is 10.12.20.11

I tried a different transform-set on both sides but still the same.

Currently on PA: 3des-SHA1-DH5 life time 1 day

Currently on Cisco:

crypto map FEWA_IPSEC_MAP 4 match address TEST

crypto map FEWA_IPSEC_MAP 4 set pfs group5
crypto map FEWA_IPSEC_MAP 4 set peer 213.42.x.x
crypto map FEWA_IPSEC_MAP 4 set ikev1 transform-set ESP-3DES-SHA-TRANS
crypto map FEWA_IPSEC_MAP 4 set security-association lifetime seconds 86400

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

Usually when I troubleshoot cisco side I don't have the transform-set ending with TRANS but as the client said its just a "name" for the transform-set. Can anyone with Cisco experience confirm this?

Regards,

Sharief

Re: Site to Site VPN with error Failed SA

MohamedSharief — Wed, 21 Dec 2016 12:07:55 GMT

Logs on Cisco (responder):

5|Dec 20 2016|15:10:06|713119|||||Group = 213.42.x.x, IP = 213.42.x.x, PHASE 1 COMPLETED

6|Dec 20 2016|15:10:06|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 213.42.x.x

6|Dec 20 2016|15:10:06|713905|||||Group = 213.42.x.x, IP = 213.42.x.x, Floating NAT-T from 213.42.x.x port 500 to 213.42.x.x port 4500

6|Dec 20 2016|15:10:06|713172|||||Group = 213.42.x.x, IP = 213.42.x.x, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device

5|Dec 20 2016|15:09:47|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping

5|Dec 20 2016|15:09:39|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping

5|Dec 20 2016|15:09:34|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping

5|Dec 20 2016|15:09:31|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping

4|Dec 20 2016|15:09:29|113019|||||Group = 213.42.x.x, Username = 213.42.x.x, IP = 213.42.x.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

5|Dec 20 2016|15:09:29|713259|||||Group = 213.42.x.x, IP = 213.42.x.x, Session is being torn down. Reason: Phase 2 Mismatch

3|Dec 20 2016|15:09:29|713902|||||Group = 213.42.x.x, IP = 213.42.x.x, Removing peer from correlator table failed, no match!

3|Dec 20 2016|15:09:29|713902|||||Group = 213.42.x.x, IP = 213.42.x.x, QM FSM error (P2 struct &0x00007fff985da760, mess id 0xa5f29183)!

5|Dec 20 2016|15:09:29|713904|||||Group = 213.42.x.x, IP = 213.42.x.x, All IPSec SA proposals found unacceptable!

Regards,

Sharief

Re: Site to Site VPN with error Failed SA

TranceforLife — Wed, 21 Dec 2016 12:16:22 GMT

https://blog.webernetz.net/2014/01/27/ipsec-site-to-site-vpn-palo-alto-cisco-asa/

Do you have your Proxy ID configured on PA?

Due to negotiation timeout > indicated Proxy ID issue

https://live.paloaltonetworks.com/t5/Management-Articles/IPSec-VPN-Error-IKE-Phase-2-Negotiation-is-Failed-as-Initiator/ta-p/60725

Thx,

Myky

Re: Site to Site VPN with error Failed SA

MohamedSharief — Wed, 21 Dec 2016 12:17:30 GMT

Hi TranceForLife,

Yes. Local: 10.20.12.11 Remote: 192.168.248.215

Re: Site to Site VPN with error Failed SA

TranceforLife — Wed, 21 Dec 2016 12:21:25 GMT

Oh missed that bit. Ok. Can you put PA in passive mode and get ikemgr.log ? So palo will be responder . Also can you post ikemgr.log file output

Re: Site to Site VPN with error Failed SA

MohamedSharief — Wed, 21 Dec 2016 12:32:23 GMT

Hi TranceForLife,

Client want PA to be the initiator only. They cannot initiate from Cisco side.

ikemgr.log will be posted soon.

Re: Site to Site VPN with error Failed SA

BPry — Wed, 21 Dec 2016 14:44:23 GMT

Just as an FYI it's always easier in these types of situations to have the PA be the responder instead of the initiator. The ikemgr.log will help determine where things are actually getting held up.

Re: Site to Site VPN with error Failed SA

MohamedSharief — Thu, 22 Dec 2016 07:27:48 GMT

Hi BPry,

Yes I know that but things doesn't work like that here, if the client (cirtical government entity) said he want us to be the initiator then that's it.

Below is the ikemgr.log he sent to me:

admin@DC-FW01(active)> tail follow yes mp-log ikemgr.log
4f9020db 78c9ff8e 464ffb6c 7b9d0d7a c8a994df 45e3c063 6e53b252 250b51a0
38d09ca4 9dc1b5f2 61f58a4e db939b4c 94f8628e d179a88f 79efdd98
2016-12-13 13:35:32 [DEBUG]: isakmp_inf.c:807:isakmp_info_send_common(): sendto Information notify.
2016-12-13 13:35:32 [DEBUG]: oakley.c:3345:oakley_delivm(): IV freed
2016-12-13 13:35:32 [DEBUG]: isakmp_inf.c:1577:isakmp_info_recv_r_u(): received a valid R-U-THERE, ACK sent
2016-12-13 13:35:32 [PROTO_NOTIFY]: isakmp_inf.c:1161:isakmp_info_recv_n(): notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=6bcbcec39d54fe73 f93698142a05fcbe (size=16).
2016-12-13 13:35:35.342 +0400 debug: ifmon_request_put(daemon/panike_sysd_if.c:1391): 16 write to pipe: debug_level
2016-12-13 13:35:35.342 +0400 debug: ifmon_request_get(daemon/panike_sysd_if.c:1407): 16 read from pipe, msg type 1
2016-12-13 13:35:35.342 +0400 debug: pan_msg_process(daemon/panike_sysd_if.c:1529): request from pipe: debug_level
2016-12-13 13:35:35 [INFO]: panike_sysd_impl.c:206:panike_debug_level_cb(): panike_debug_level_cb 5 => 0

Regards,

Sharief

Re: Site to Site VPN with error Failed SA

santonic — Thu, 22 Dec 2016 07:36:49 GMT

Check if Cisco is maybe trying to initiate route based or GRE type of tunnel.

Re: Site to Site VPN with error Failed SA

TranceforLife — Thu, 22 Dec 2016 12:19:59 GMT

Hi,

Not sure if you have posted a full pahace 2 config:

//IPsec phase 1 configuration (IKEv1)

ciscoasa(config)# crypto ikev1 policy 1
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes-256
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 5
ciscoasa(config-ikev1-policy)# lifetime 3600
ciscoasa(config-ikev1-policy)# exit
ciscoasa(config)# crypto ikev1 enable outside

//Define transform-set using AES-256 and SHA-1

ciscoasa(config)# crypto ipsec ikev1 transform-set aesset esp-aes-256 esp-sha-hmac

//Define access-list for local and remote network

ciscoasa(config)# access-list ipsec_access_list extended permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.0

//IPsec phase 2 configuration

ciscoasa(config)# crypto map ipsecmap 1 match address ipsec_access_list
ciscoasa(config)# crypto map ipsecmap 1 set peer 210.211.10.1
ciscoasa(config)# crypto map ipsecmap 1 set ikev1 transform-set aesset
ciscoasa(config)# crypto map ipsecmap 1 set pfs group5
ciscoasa(config)# crypto map ipsecmap 1 set security-association lifetime seconds 28800
ciscoasa(config)# crypto map ipsecmap interface outside

Cannot see ACL (match address) TEST within your configuration.

We definitely got Phase 2 mismatch so need to look here. And yes TRANS is just a name of the transform-set

Re: Site to Site VPN with error Failed SA

MohamedSharief — Thu, 22 Dec 2016 12:54:01 GMT

Hi TranceforLife,

Its is there but I forgot to copy it, sorry for that.

ciscoasa(config)# crypto map ipsecmap interface outside << this one is missing from the configurations I received from Cisco client.

Regards,

Sharief

Re: Site to Site VPN with error Failed SA

BPry — Thu, 22 Dec 2016 13:47:19 GMT

If the Cisco side of things doesn't specify which interface the crypto map is assigned to that is likely a very large part of your issue.

Re: Site to Site VPN with error Failed SA

TranceforLife — Thu, 22 Dec 2016 14:42:19 GMT

Dont have much experience on s2s vpn from the Cisco side but interesting that P1 is coming up Okay but l am with you as it is actually within Phase 2 configuration. So P1 coming up no probs but P2 ....

Re: Site to Site VPN with error Failed SA

MohamedSharief — Thu, 22 Dec 2016 14:28:57 GMT

Interesting points guys. Let me verify with ASA end.

Regards,

Sharief

Re: Site to Site VPN with error Failed SA

MohamedSharief — Mon, 26 Dec 2016 06:40:46 GMT

Hi,

crypto map FEWA_IPSEC_MAP interface outside <<< found this in the configurations so its not the reason.

Asked them to clear the SA from cisco side and try initiating traffic again from PA.

Regards,

Sharief

Re: Site to Site VPN with error Failed SA

MohamedSharief — Mon, 26 Dec 2016 11:11:14 GMT

Hi,

Just a quick update. The client sent the "complete" configurations on ASA and we found the following:

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

PAN doesn't support transport mode and its only works with tunnel mode.

After removing this command the tunnel came up.

Thanks for your help.

Regards,

Sharief