I have two VM-50 v9.01, one in SiteA and another in SiteB. I set up an IPsec tunnel between them with: IKE-v1 : phase1 (aggressive mode) and phase2 (quick mode) with ESP. it works fine and I'am able to ping from a vlan in SiteA to another vlan in SiteB .
I wanted to test AH instead of ESP. However everytime I want to send a ping from SiteA to SiteB, the firewall in SiteB craches and generates a core file.
If I perform a "test vpn ike-sa gateway mygateway" and "test vpn ipsec-sa myipsec" it works fine and I can see the SA created in both firewall. However when I send a packet from SiteA to SiteB, I can see the packet leaving firewall in SiteA with the apropriate AH header inserted. But as soon as the packet arrives in the firewall in SiteB, it craches.
I can provide pcaps and core files , or anything you may need to help me.
Does anybody try to do the same ?
Any help would be appriciated
It would be odd to have two PA devices utilize AH. I would open a ticket with support and see if they can duplicate the issue; it sounds like it may be a bug with 9.0
Hmmm as I said in my description I am in a lab environment and I wanted to test different configuration to make sure that I'm doing things right, I don't think that the support would accept my issue as a "ticket" ... It would be nice if anyone could try to setup AH between two Paloaltos and keep me in touch if it works for him.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!