https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/421678#M93987 <P>I have a couple sites with multiple networks being tunneled via IPSEC. Only the first network that is accessed is working. It will not negotiate the second Proxy ID.&nbsp; I tried following directions from the link below, but still only the first network that I ping is accessible . It is an IPSEC tunnel between a PA running 9.0 and an ASA running 9.1.</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHACA0&amp;lang=en_US" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHACA0&amp;lang=en_US</A></P><P>&nbsp;</P><P>Do you know how to resolve this issue?</P><P>&nbsp;</P><P>Thank you for any direction you are able to provide</P> Fri, 23 Jul 2021 14:46:26 GMT Cris_Collins 2021-07-23T14:46:26Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/223617#M64287 <P>Has anyone had an issue where a tunnel is configured with multiple proxy-id's for a policy-based peer, but a working security association is formed for only one of them?</P><P>&nbsp;</P><P>I have a number of ASA 5505s that need to connect to my new Palo Altos from remote locations, where they mostly get dynamic, NATed, non-routable IPs. After more faffing about than expected, I've reached the point where I have two nice, green dots in Network/IPSec Tunnels. Turns out, though, that that's kind of misleading.</P><P>&nbsp;</P><P>Each tunnel has three proxy-ids, one for each of the big blocks of non-routable space. They look like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16038i6721058ABBC19668/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P><P>The IKE security association gets set up without any issue.</P><P>&nbsp;</P><P>The IPSec SA for selector pair c is also forming just fine, and passing traffic. I think it couldn't be doing that unless most of the configuration was OK?</P><P>&nbsp;</P><P>As far as I can see, b never tries to negotiate at all.</P><P>&nbsp;</P><P>A is the oddest case. I see a security association on both the ASA and the Palo Alto. The SPIs match. All the parameters match. But traffic doesn't move in either direction. On both devices I can see the count of encap packets increasing (so routing and blocking must be OK, traffic's entering the tunnel), but decap packets never moves from zero on either side.</P><P>&nbsp;</P><P>I thought I'd seen most IPSec failure modes, but I've never seen anything like that.</P><P>&nbsp;</P><P>I'd thought I might be triggering some weirdness with the overlapping address space for the remote /27 and 172.16/12, even though that's the connection that worked. Wasn't sure it could be the issue since so many folks use 0.0.0.0/0, but I tried removing it anyhow. It didn't make any difference to the behavior of the other SAs.</P><P>&nbsp;</P><P>I'm utterly at a loss with this one. Ticket is open with support, but it would sure make my day if someone recognizes these symptoms.</P><P>&nbsp;</P><P>Here are the selector configurations from both devices. Maybe (hopefully) I'm just doing something dumb?</P><P>&nbsp;</P><P>&nbsp;</P><PRE>ASA: object network 10dot subnet 10.0.0.0 255.0.0.0 object network 192dot subnet 192.168.0.0 255.255.0.0 object network 172dot subnet 172.16.0.0 255.240.0.0 ...<BR />object-group network InternalNets<BR />&nbsp;network-object object 10dot<BR />&nbsp;network-object object 192dot<BR />&nbsp;network-object object 172dot<BR />... access-list outside_cryptomap_1 extended permit ip 172.19.29.192 255.255.255.224 object-group InternalNets ... crypto map outside_map 2 match address outside_cryptomap_1 ... PA: set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id a protocol any set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id a local 10.0.0.0/8 set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id a remote 172.19.29.192/27 set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id b protocol any set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id b local 192.168.0.0/16 set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id b remote 172.19.29.192/27 set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id a protocol any set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id c local 172.16.0.0/12 set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id c remote 172.19.29.192/27</PRE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 26 Jul 2018 01:25:09 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/223617#M64287 CHoldredge 2018-07-26T01:25:09Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/223638#M64291 What PAN-OS version is running on your firewall? Thu, 26 Jul 2018 07:26:18 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/223638#M64291 Remo 2018-07-26T07:26:18Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/223665#M64299 <P>It's on 8.1.2</P> Thu, 26 Jul 2018 13:03:15 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/223665#M64299 CHoldredge 2018-07-26T13:03:15Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/421678#M93987 <P>I have a couple sites with multiple networks being tunneled via IPSEC. Only the first network that is accessed is working. It will not negotiate the second Proxy ID.&nbsp; I tried following directions from the link below, but still only the first network that I ping is accessible . It is an IPSEC tunnel between a PA running 9.0 and an ASA running 9.1.</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHACA0&amp;lang=en_US" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHACA0&amp;lang=en_US</A></P><P>&nbsp;</P><P>Do you know how to resolve this issue?</P><P>&nbsp;</P><P>Thank you for any direction you are able to provide</P> Fri, 23 Jul 2021 14:46:26 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/421678#M93987 Cris_Collins 2021-07-23T14:46:26Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/421723#M93994 <P>Enabling PFS and setting the Deffie Hellman and changing from IKEv2 to IKEv1 resolved the issue.</P> Fri, 23 Jul 2021 17:25:10 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/421723#M93994 Cris_Collins 2021-07-23T17:25:10Z https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/560849#M113676 <P>Check PFS on both sides, I suspect you have PFS enable in one side and disabled in the other side.</P> Fri, 06 Oct 2023 16:47:15 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-tunnel-from-remote-asa-only-one-of-three-proxy-ids-working/m-p/560849#M113676 gihernandez 2023-10-06T16:47:15Z