https://live.paloaltonetworks.com/t5/general-topics/pa-to-asa-proxy-id-mismatch/m-p/211556#M61714 <P>Hi Remo,</P><P>&nbsp;</P><P>After updating our firewall cluster to 7.1.16, the issue with ProxyID mismatch has been resolved. Thanks for the help!</P><P>&nbsp;</P><P>-josh</P> Tue, 24 Apr 2018 16:22:31 GMT cenduit_jgolden 2018-04-24T16:22:31Z https://live.paloaltonetworks.com/t5/general-topics/pa-to-asa-proxy-id-mismatch/m-p/208252#M60969 <P>Hi all,</P><P>&nbsp;</P><P>We have a standard IPSec tunnel one of our smaller sites with a strange issue related to the Proxy-IDs defined on the PA side of the tunnel. Our ASA side (10.7.0.0/16) is set to inherit all policy settings from the PA side, and our PA defines the "policies" with the Proxy-ID. Normal behavior with a policy based firewall (ASA) and a route based firewall (PA).&nbsp;</P><P>&nbsp;</P><P>The issue is that while two of the networks defined on the PA side Proxy IDs are match the tunnel details on the ASA, the third network does not. Traffic from the 10.0.0.0/8 and 192.168.0.0/16 supernets is allowed over the tunnel without issue; however, the 172.16.0.0/12 supernet shows up on the ASA's as a smaller, but valid, subnet within the 172.16.0.0/12 supernet and only to one specific host. This is preventing anything in our 172 networks from accessing the site&nbsp;due to a mismatch in the negotiated session.<BR /><BR /></P><P>A quick note. Our PA is using SW version 7.1.10. In this version, we have seen some "ghosting" where some changes are not properly removed from the config file; as in objects still existing after removal, routes existing after removal, etc, so this may be related. We are upgrading this OS during our next maintenance window to 7.1.16.</P><P>&nbsp;</P><P>Screenshots are below. I have also used proxy-ID local 0.0.0.0/0 but the results remain unchanged.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PA_Proxy-ID_Details.PNG" style="width: 719px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14585i03062D28E3136860/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PA_Proxy-ID_Details.PNG" alt="PA_Proxy-ID_Details.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="All of the networks match the PaloAlto Proxy-IDs except for the 172 network." style="width: 725px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14588i83BC06AFA796DFD9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ASA_Ses_Details.PNG" alt="All of the networks match the PaloAlto Proxy-IDs except for the 172 network." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">All of the networks match the PaloAlto Proxy-IDs except for the 172 network.</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_Ses_Details.PNG" style="width: 0px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14586i48D0E5C9773092B2/image-size/small/is-moderation-mode/true?v=v2&amp;px=200" width="0" height="0" role="button" title="ASA_Ses_Details.PNG" alt="ASA_Ses_Details.PNG" /></span></P><P>&nbsp;Thank you!</P><P>&nbsp;</P><P>- Edit: a word</P> Fri, 30 Mar 2018 17:15:17 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-to-asa-proxy-id-mismatch/m-p/208252#M60969 cenduit_jgolden 2018-03-30T17:15:17Z https://live.paloaltonetworks.com/t5/general-topics/pa-to-asa-proxy-id-mismatch/m-p/208283#M60972 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85075">@cenduit_jgolden</a></P><P><BR />Probably the only solution for you is upgrading to something higher than 7.1.10. The issue you are facing is fixed in 7.1.11.</P><P>&nbsp;</P><PRE>PAN-77127 Fixed&nbsp;an&nbsp;issue&nbsp;where&nbsp;the&nbsp;firewall&nbsp;reduced&nbsp;the&nbsp;range&nbsp;of&nbsp;local&nbsp;and&nbsp;remote<BR />IKEv2&nbsp;traffic selectors&nbsp;in&nbsp;a&nbsp;way&nbsp;that&nbsp;disrupted&nbsp;traffic&nbsp;in&nbsp;a&nbsp;VPN&nbsp;tunnel<BR />that&nbsp;a&nbsp;Cisco&nbsp;Adaptive&nbsp;Security&nbsp;Appliance&nbsp;(ASA)&nbsp;initiated.</PRE><P><BR />So upgradin to 7.1.16 is a good idea, that will solve the issue.</P><P>(<A href="https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-11-addressed-issues#_11590" target="_blank">https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-11-addressed-issues#_11590</A>).</P><P>&nbsp;</P><P>Another workaround would be changing the tunnel to IKEv1.</P><P>&nbsp;</P><P>(Ok, there is a very little chance that you have found another problem, but I am pretty sure that your issue is fixed after the upgrade becaue I had exactly the same issue a while ago)</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Fri, 30 Mar 2018 17:13:29 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-to-asa-proxy-id-mismatch/m-p/208283#M60972 Remo 2018-03-30T17:13:29Z https://live.paloaltonetworks.com/t5/general-topics/pa-to-asa-proxy-id-mismatch/m-p/208284#M60973 <P>Thanks for the insight Remo. I'll monitor this and update the post once we have upgraded.</P><P>&nbsp;</P><P>Cheers!</P><P>&nbsp;</P><P>-josh</P> Fri, 30 Mar 2018 17:16:23 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-to-asa-proxy-id-mismatch/m-p/208284#M60973 cenduit_jgolden 2018-03-30T17:16:23Z https://live.paloaltonetworks.com/t5/general-topics/pa-to-asa-proxy-id-mismatch/m-p/211556#M61714 <P>Hi Remo,</P><P>&nbsp;</P><P>After updating our firewall cluster to 7.1.16, the issue with ProxyID mismatch has been resolved. Thanks for the help!</P><P>&nbsp;</P><P>-josh</P> Tue, 24 Apr 2018 16:22:31 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-to-asa-proxy-id-mismatch/m-p/211556#M61714 cenduit_jgolden 2018-04-24T16:22:31Z