VPN Tunnel Down Between Palo Alto Networks Firewall Static IP Address and Cisco VTI on Dynamic IP Address
53377
Created On 09/25/18 17:39 PM - Last Modified 06/08/23 09:59 AM
Resolution
Symptom
Site-to-Site IPSec VPN has been configured between a Palo Alto Networks firewall and a Cisco router. However, the VTI VPN tunnel does not come up.
Cause
The issue may be due to IKE Phase1 local and peer identification mismatch.
Resolution
- Configure PA Firewall (Network > IKE Gateways > Configure IKE Gateway), as in the example below. Ensure that the Local and Peer Identification match with the Cisco Router.
Note: Use Aggressive Exchange Mode and Enable Passive Mode if the other end is a Dynamic IP. Choose a local and peer Identification for IKE phase 1 and match this to the Cisco Router Configuration. - With the Cisco router in VTI mode, configure IKE Gateway (see example below). Again, ensure that the Local and Peer Identification match with the Palo Alto Networks firewall.
With the Cisco router in equivalent Crypto Map mode, configure IKE Gateway (see example below).
owner: jlunario