topic PA to Cisco 5505 VPN tunnel in General Topics

PA to Cisco 5505 VPN tunnel

infotech — Wed, 04 Jun 2014 19:51:04 GMT

When trying to configure a site to site VPN tunnel from a PA 3020 to a Cisco 5505 firewal I am getting th following messages on the Cisco firewall

received encrypted packet with no matching sa dropping

all ipsec proposals found unacceptable

Re: PA to Cisco 5505 VPN tunnel

HULK — Wed, 04 Jun 2014 19:57:42 GMT

Hello Infotech,

Could you please clear the IKE and IPSec security association (SA) on both firewalls and then initiate the tunnel once again.

For example, in PAN FW:

clear vpn ike-sa gateway XXXXX

Delete IKEv1 IKE SA: Total 1 gateways found.

> clear vpn ipsec-sa tunnel XXXXXX

Delete IKEv1 IPSec SA: Total 1 tunnels found.

> test vpn ike-sa gateway XXXXXX

Initiate IKE SA: Total 1 gateways found. 1 ike sa found.

> test vpn ipsec-sa tunnel XXXXXX

Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

Also, verify if there are any IKE session in discard state between the gateways.

Thanks

Re: PA to Cisco 5505 VPN tunnel

infotech — Wed, 04 Jun 2014 20:46:24 GMT

I cleared on the PA side but have to lookup how to do it on the Cisco side

This is what I got when I did the test vpn ipsec-sa tunnel

Initiate IPSec SA: Total 12 tunnels found. 12 ipsec sa found.

Re: PA to Cisco 5505 VPN tunnel

knarra1 — Thu, 05 Jun 2014 04:23:11 GMT

Looks like you might have mismatch between the proposals configured between the two devices . Make sure the proposals chosen on both sides are matching ( Encryption, Authentication, DH Group , life time and life size)

Re: PA to Cisco 5505 VPN tunnel

infotech — Thu, 05 Jun 2014 12:57:00 GMT

That was my first thought and I could be missing something but they look the same as far as I can tell. It looks like to me it is failing on phase 2 any suggestion on where else to look on the PA or the Cisco I would appreciate

Re: PA to Cisco 5505 VPN tunnel

jcostello — Thu, 05 Jun 2014 13:18:36 GMT

Have you reviewed the IKE log on the 3020

from the CLI

less mp-log ikemgr.log

What do you have set for your proxy-ids on your 3020?

Re: PA to Cisco 5505 VPN tunnel

infotech — Thu, 05 Jun 2014 13:25:14 GMT

Here is the result of running less mp-log ikemge.log

2014-06-04 21:11:32 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:11:42 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:11:45 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=69d80199e1a26574 e572d79797571b2d (size=16).

2014-06-04 21:11:52 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====

====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x17F5E673 <==== Due to negotiation timeout.

2014-06-04 21:12:01 [INFO]: IPsec-SA request for 66.94.196.108 queued since no phase1 found

2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:0000000000000000 <====

2014-06-04 21:12:01 [INFO]: received Vendor ID: FRAGMENTATION

2014-06-04 21:12:01 [INFO]: received Vendor ID: CISCO-UNITY

2014-06-04 21:12:01 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2014-06-04 21:12:01 [INFO]: received Vendor ID: DPD

2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====

====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 lifetime 28800 Sec <====

2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x23521A9E <====

2014-06-04 21:12:01 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=880e62bac918006c 454780c80ace55a4 (size=16).

2014-06-04 21:12:02 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:12:02 [INFO]: ====> PHASE-1 SA DELETED <====

====> Deleted SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:12:02 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=25802d7bf6eca062 ba158c53d96c1487 (size=16).

2014-06-04 21:12:12 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:22 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:31 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====

====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x23521A9E <==== Due to negotiation timeout.

2014-06-04 21:12:32 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:32 [INFO]: ====> PHASE-1 SA DELETED <====

====> Deleted SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:40 [INFO]: IPsec-SA request for 66.94.196.108 queued since no phase1 found

2014-06-04 21:12:40 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:0000000000000000 <====

2014-06-04 21:12:40 [INFO]: received Vendor ID: FRAGMENTATION

2014-06-04 21:12:40 [INFO]: received Vendor ID: CISCO-UNITY

2014-06-04 21:12:40 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2014-06-04 21:12:40 [INFO]: received Vendor ID: DPD

2014-06-04 21:12:40 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====

====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 lifetime 28800 Sec <====

2014-06-04 21:12:40 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xA0ED9187 <====

2014-06-04 21:12:40 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=588677c88a7381ca ed7b7952f6d3b488 (size=16).

2014-06-04 21:12:41 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 <====

2014-06-04 21:12:51 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 <====

2014-06-04 21:13:01 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 <====

2014-06-04 21:13:10 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====

====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xA0ED9187 <==== Due to negotiation timeout.

2014-06-04 21:13:11 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

Re: PA to Cisco 5505 VPN tunnel

jcostello — Thu, 05 Jun 2014 13:49:13 GMT

Phase 2 Mismatch

notification message 14:NO-PROPOSAL-CHOSEN

What is the transform set on the ASA for this network?

What is your corresponding IPSEC policy on the 3020?

Sample IPSec Tunnel Configuration - Palo Alto Networks Firewall to Cisco ASA

Re: PA to Cisco 5505 VPN tunnel

infotech — Thu, 05 Jun 2014 14:01:11 GMT

What is the transform set on the ASA for this network? ESP-AES-256-SHA (IKEv1) PFS-group1 (looking in the crypto maps)

What is your corresponding IPSEC policy on the 3020? ESP-AES-Sha1 (ipsec crypto)

Re: PA to Cisco 5505 VPN tunnel

jcostello — Thu, 05 Jun 2014 14:24:46 GMT

IPSEC Crypto Profile on PA defaults to group-2 (group 1, group-2, group-5 and group-14 are available)

The ASA is indicating group 1

Re: PA to Cisco 5505 VPN tunnel

infotech — Thu, 05 Jun 2014 14:36:24 GMT

I have the ipsec crypto set to group 1

Re: PA to Cisco 5505 VPN tunnel

jcostello — Thu, 05 Jun 2014 15:03:21 GMT

From the 3020 CLI - please provide the output for your profile configured for IPSEC

set cli config-output-format set

configure

show network ike crypto-profiles ipsec-crypto-profiles

from the ASA

gather the line that starts with crypto ipsec transform-set that is configured for the crypto map

Thanks

Re: PA to Cisco 5505 VPN tunnel

infotech — Thu, 05 Jun 2014 15:16:28 GMT

Here is from the PA

[edit]
admin@PA-3020_DR# show network ike crypto-profiles ipsec-crypto-profiles profiles
[edit]
admin@PA-3020_DR# show network ike crypto-profiles ipsec-crypto-profiles
set network ike crypto-profiles ipsec-crypto-profiles default esp encryption [ aes128 3des ]
set network ike crypto-profiles ipsec-crypto-profiles default esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles default dh-group group2
set network ike crypto-profiles ipsec-crypto-profiles default lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile dh-group group1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto dh-group group1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 dh-group group1
[edit]
admin@PA-3020_DR#

Cisco - I am not 100% sure what you are asking me to do here so I just look in the ASDM under site to site vpn\configuration cryptop maps

transform set ikev1 ESP-AES-256-SHA

Re: PA to Cisco 5505 VPN tunnel

jcostello — Thu, 05 Jun 2014 17:48:29 GMT

On the ASA CLI or the configuration output I was looking for the assigned transform set

Which of the crypto profiles on the 3020 is assigned to the VPN that is having issues

Re: PA to Cisco 5505 VPN tunnel

infotech — Thu, 05 Jun 2014 19:38:00 GMT

right now its this one

set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto lifetime hours 1

But I also tried this one too

set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 dh-group group1

Re: PA to Cisco 5505 VPN tunnel

jcostello — Thu, 05 Jun 2014 20:20:01 GMT

can you grab and clean up (replace any public IPs with something else i.e replace the Cisco address with Cisco-Address) the following from the 3020

show network tunnel ipsec (only need the lines for the tunnel having issues)

show network ike crypto-profiles ike-crypto-profiles

show network ike gateway (only need the gateway associated with this connection)

From the ASA - connect to ssh or console

show run

find the related Cisco command from this article - Sample IPSec Tunnel Configuration - Palo Alto Networks Firewall to Cisco ASA for the VPN

Re: PA to Cisco 5505 VPN tunnel

infotech — Thu, 05 Jun 2014 20:54:10 GMT

This may take me awhile

I tried to do a

show network ike crypto-profiles ike-crypto-profiles

on the 3020 it gave me an invalid syntax

Re: PA to Cisco 5505 VPN tunnel

jcostello — Fri, 06 Jun 2014 12:32:27 GMT

try just show network ike crypto-profiles

Re: PA to Cisco 5505 VPN tunnel

infotech — Fri, 06 Jun 2014 12:51:17 GMT

I do not find an option for show network on the PA 3020 unless I am in the wrong place in the cli

Re: PA to Cisco 5505 VPN tunnel

jcostello — Fri, 06 Jun 2014 13:22:39 GMT

are you in configure mode?