https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/164516#M53076 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/51040">@ansharma</a></P><P>&nbsp;</P><P>Thanks for the reply. I would have done that ... but the impact on existing tunnels (not to Cisco ASA firewalls) was just too big, so we had to downgrade pretty fast. So unfortunately we're not able to provide logs/techsupportfiles ...</P><P>I already told <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;about this so PAN at least somehow already knows about this, but I understand without actual logs it is difficult to troubleshoot ... the only way is to reproduce the issue.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Tue, 04 Jul 2017 15:13:17 GMT Remo 2017-07-04T15:13:17Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/158597#M51912 <P>Hi folks,</P><P>&nbsp;</P><P>Are there any Cisco ASA specialists out there?</P><P>We have a problem with a site to site vpn connection between paloalto and an ASA 5540. Actually the problem seems to be on the ASA side.</P><P>&nbsp;</P><P>The proxy id's on the PA are configured like this:</P><P>Remote (ASA): 0.0.0.0/0</P><P>Local: 1 private /24 subnet</P><P>&nbsp;</P><P>As described in the title, we use IKEv2. Now everything works as expected when the tunnel is initiated from our paloalto. Phase1 &amp; 2 will be brought up with the configured settings and subnets.</P><P>But, when Cisco ASA is the initiator it simply ignores the configured phase 2 subnets and uses a /32 hostaddress as their local proxy id and our correct /24 subnet as remote id. Because of the fact, that palo accepts this phase 2 request with IKEv2 the vpn is connected successfully. The problem then starts when a second host behind the ASA tries to communicate over the VPN tunnel. Then the ASA tries to initiate another phase 2 with the new source host ip as phase 2 network. This is also working but then the alredy established phase 2 will be kicked away by PaloAlto and from then on the first host is no longer able to communicate over the tunnel.</P><P>&nbsp;</P><P>Is anyone familiar with this problem or even better, knows how to fix this?</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P><P>&nbsp;</P><P>PS: I already had exactly this issue 2 months ago with another Cisco ASA. There we went back to IKEv1 which solved the problem and the ASA was using the staticly configured subnets instead of hostaddresses ... but onfortunately this is no option for this customer ...</P> Mon, 29 May 2017 10:16:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/158597#M51912 Remo 2017-05-29T10:16:51Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/158611#M51918 <P>Hey vsys_remo,</P><P>&nbsp;</P><P>Sorry to be the bearer of bad news but you are hitting a bug expected to be fixed in 8.0.3/7.1.11.</P><P>&nbsp;</P><P>The only way to get this working would be to&nbsp;make PA as the initiator. The other option would have been to use IKEv1 (which can't be).</P><P>&nbsp;</P><P>Regards,</P><P>Anurag</P> Mon, 29 May 2017 14:24:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/158611#M51918 ansharma 2017-05-29T14:24:25Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/158617#M51923 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/51040">@ansharma</a></P><P>&nbsp;</P><P>Bad luck <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P><P>&nbsp;</P><P>At least we now know, that we don't have to further troubleshoot the issue.</P><P>So I assume 8.0.3 will be released in about 2 weeks, right? (Assuming the normal releases all 6 weeks)</P><P>&nbsp;</P><P>Do you have more technical details regarding this bug? Because so far I don't fully understand how this could be fixed from PAN, because so far it only looked like the ASA is using these host-IP's for phase 2. So if cisco is nothing doing wrong and uses 0.0.0.0/0 as local network, how can palo use the host-ip for the ipsec-sa, which it does not know at that point of the tunnel setup process? And it also looks like this problem is specifically showing up in IKEv2 tunnels to cisco ASA and no other vendors, what again makes no sense to me <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P><P>&nbsp;</P><P>Anyway, thank you Anurag for the information.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Mon, 29 May 2017 15:19:26 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/158617#M51923 Remo 2017-05-29T15:19:26Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/158618#M51924 <P>vsys_remo,</P><P>&nbsp;</P><P>I can't go into details at the moment. Haven't seen this issue with another vendor yet.</P><P>&nbsp;</P><P>And yes, 8.0.3 <U>should</U> be out in the 2nd-3rd week of June.&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Anurag</P> Mon, 29 May 2017 15:33:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/158618#M51924 ansharma 2017-05-29T15:33:21Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/163218#M52863 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/51040">@ansharma</a></P><P>&nbsp;</P><P>I have no evidence that it is really this, but I assume this fix has now introduced other IKEv2 problems. After the upgrade to Version 8.0.3 we started seeing other IKEv2 problems, so far "only" with PFSense firewalls. As I have seen the problem happens at rekey time. So there was an existing tunnel, but when the other side tries to renogotiate everything PaloAlto cannot match the proposed phase 2 networks to the configured one, even the proposal and the configuration have exactly the same parameters.</P><P>--&gt; The tunnel ONLY comes up when the existing SA's are manually cleared.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Mon, 26 Jun 2017 11:20:17 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/163218#M52863 Remo 2017-06-26T11:20:17Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/164514#M53075 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;,</P><P>&nbsp;</P><P>Sorry for the late reply, I have been busy with other things. I've not yet come across issues with 8.0.3 pertaining to IKEv2. I'd suggest you get a case open with TAC and we can have a look at the issue.</P><P>&nbsp;</P><P>Regards,</P><P>Anurag</P> Tue, 04 Jul 2017 14:51:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/164514#M53075 ansharma 2017-07-04T14:51:53Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/164516#M53076 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/51040">@ansharma</a></P><P>&nbsp;</P><P>Thanks for the reply. I would have done that ... but the impact on existing tunnels (not to Cisco ASA firewalls) was just too big, so we had to downgrade pretty fast. So unfortunately we're not able to provide logs/techsupportfiles ...</P><P>I already told <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;about this so PAN at least somehow already knows about this, but I understand without actual logs it is difficult to troubleshoot ... the only way is to reproduce the issue.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Tue, 04 Jul 2017 15:13:17 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-to-cisco-asa5540/m-p/164516#M53076 Remo 2017-07-04T15:13:17Z