topic Re: IPSEC vpn between cisco 2900 and PAN in General Topics

IPSEC vpn between cisco 2900 and PAN

epeeler — Mon, 13 Sep 2021 12:30:42 GMT

Hi everyone,

I'm trying to setup a route based IPSEC tunnel between my PAN 3020 and Cisco 2900 router. I'm getting a parameter mismatch on on the ipsec lifesize parameter and don't know how to fix it.

The Cisco peer appears to be wanting a lifesize setting of 4608000KB but the PAN won't let you set it that high. I've tried setting it with the equivalent MB setting on the PAN but I'm still getting the mismatch. Does anyone know how to change this setting on the Cisco side? I can't seem to find the right command.

This is what I see on the PAN. I am not the admin for the Cisco router.

Any ideas?

2021-09-10 16:36:10.645 -0500 [PNTF]: { 2: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: <redacted>[500]-<redacted>[500] message id:0x4B3D3BCC <====
2021-09-10 16:36:10.646 -0500 [PNTF]: { 2: 11}: simultaneous phase-2 rekey request detected, peer is not PANOS. delay processing this new request(isakmp message-id 0x4B3D3BCC).
2021-09-10 16:36:10.646 -0500 [PERR]: { : 11}: lifesize 4608000 KB
2021-09-10 16:36:10.646 -0500 [PERR]: { : 11}: not matched
2021-09-10 16:36:10.646 -0500 [PERR]: { : 11}: no suitable policy found.
2021-09-10 16:36:10.646 -0500 [ERR ]: { : 11}: failed to pre-process packet.
2021-09-10 16:36:10.703 -0500 [INFO]: { 2: }: IKE ISAKMP KEY_DELETE recvd: cookie:490a0356f9c07229:aaa5e1482371a0a4.
98%

Re: IPSEC vpn between cisco 2900 and PAN

PavelK — Mon, 13 Sep 2021 13:29:36 GMT

Thank you @epeeler for posting question.

This is the default value in Cisco IOS: crypto ipsec security-association lifetime kilobytes 4608000

In order to change it, please go to configuration mode, then issue: crypto ipsec security-association lifetime kilobytes <2560-4294967295>

Kind Regards

Pavel

Re: IPSEC vpn between cisco 2900 and PAN

aleksandar.astardzhiev — Mon, 13 Sep 2021 14:25:29 GMT

Hey @epeeler ,

That is intersting. Up to this point I was living with the impression that lifesize mistmatch should not effect phase negotiation, similar to lifetime.

If lifetime is configured differently on both end of the tunnel, tunnel will be negotiated successfully, but you will experiance some issues with the traffic.

While I agree with @PavelK and you should definately fix the mistmatch, I am little sceptic as this is the actual reason for failing tunnel negotiation. In addition using MB on Palo, should be exactly the same, as the IPsec standard is actually using KB, so in the background Palo should convert the MB and sent the equivalent KB.

Are you sure all other settings matching phase2 settings? You will notice that Palo support CBC and GCM modes for the encryption algorithms, while I am not sure if Cisco is supporting GCM you may want to check if Palo is using CBC.

Re: IPSEC vpn between cisco 2900 and PAN

epeeler — Mon, 13 Sep 2021 15:41:47 GMT

First of all, thank you both for taking the time to respond. The issue did indeed end up being a parameter other than lifesize being mismatched. I had not turned on ike debugging on the PAN and so the messages I was seeing in the log while correct, didn't necessarily correspond to each other. Once I enabled detailed debugging I could see what the actual mismatch was which ended up being the hash setting for the phase 2 connection.

Moral of the story here...even though you're seeing log entries for phase 1 and phase 2 negotiation, if you don't turn on debug for ike, you're not getting the full story.

Again, thank you both very much.