topic Re: IPSec VPN phase2 partial up in General Topics

IPSec VPN phase2 partial up

DongQu — Thu, 22 Apr 2021 14:48:49 GMT

hello everyone

I have a IPSec tunnel with Cisco ASA, and the proxy-id config is:

entry1: local 1.1.1.1 remote 2.2.2.2

entry2: local 1.1.1.1 remote 2.2.2.3

The very annoying things the phase2 is partial UP, when "show vpn flow", either entry1 is active and entry2 is inactive OR entry2 is active or entry1 is inactive.

Is this due to the incorrect config in somewhere?

Thanks

Re: IPSec VPN phase2 partial up

aleksandar.astardzhiev — Thu, 22 Apr 2021 15:49:00 GMT

Hi @DongQu ,

Most probably you don't have constant traffic running for both remote networks.

If you see both active at different time this means negotiation is successfull for both and if there is real traffic tunnel should be fine.

Re: IPSec VPN phase2 partial up

DongQu — Fri, 23 Apr 2021 01:40:34 GMT

hi @aleksandar.astardzhiev

I tried to use "test vpn ipsec-sa tunnel" to Initiate the IPSec SA, after 1 of them getting "active", the other 1 cannot get up anymore.

Re: IPSec VPN phase2 partial up

nikoolayy1 — Fri, 23 Apr 2021 07:29:18 GMT

First your proxy id seems wrong as it should be the private sybnets that are internal for the firewalls (also check the ipsec timers if they match like the "lifetime"):

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ3CAK

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE6CAK

If you still have issue:

%%%%%%%%%%%%%%%%%%%%%%%

Can you make the Palo Alto the responder as this way you will get more data in the GUI System log (or Globalprotect log in newer version)?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0

Also you can do a debug on the ikemgr:

> debug ike global on debug
> less mp-log ikemgr.log

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

Also check if DPD is disabled as maybe the ASA may have issues with it and test without it.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK

%%%%%%%%%%%%%%%%%%%%%%%%

Re: IPSec VPN phase2 partial up

DongQu — Fri, 23 Apr 2021 13:23:33 GMT

the palo told me that the DH group for the phase2 needs to use group 20 with Cisco while have multiple proxy-id, I was using group5.

The issue was gone after changing to group 20.

Re: IPSec VPN phase2 partial up

aleksandar.astardzhiev — Fri, 23 Apr 2021 15:30:25 GMT

Hi @DongQu ,

I am not sure I understadn your last comment.

Run

> test vpn ipsec-sa tunnel tu-ITIVIT:tu-ITIVIT
> show vpn flow

What is that status of this tunnel?

Immediately run

> test vpn ipsec-sa tunnel tu-ITIVIT:tu-ITIVIT-2
> show vpn flow

What is the status of second tunnel?

If you execute "test vpn" for both proxy-id immediately one after another, are one still showing inactive?

Have you checked the logs? Go to system logs (where the ipsec s2s log are located) and you can add this filter

( object contains tu-ITIVIT )

Re: IPSec VPN phase2 partial up

DongQu — Fri, 23 Apr 2021 15:34:35 GMT

while using the DH is group5 on the PA and Cisco ASA

> test vpn ipsec-sa tunnel tu-ITIVIT:tu-ITIVIT
> show vpn flow

What is that status of this tunnel? ------ tu-ITIVIT:tu-ITIVIT -----> active

Immediately run

> test vpn ipsec-sa tunnel tu-ITIVIT:tu-ITIVIT-2
> show vpn flow

What is the status of second tunnel? --------- tu-ITIVIT:tu-ITIVIT-2------> inactive

after changing DH to group20 on both sides.

> test vpn ipsec-sa tunnel tu-ITIVIT:tu-ITIVIT
> show vpn flow

What is that status of this tunnel? ------ tu-ITIVIT:tu-ITIVIT -----> active

Immediately run

> test vpn ipsec-sa tunnel tu-ITIVIT:tu-ITIVIT-2
> show vpn flow

What is the status of second tunnel? --------- tu-ITIVIT:tu-ITIVIT-2------> active