We have a successful tunnels to our VPC and traffic is passing. We used the AWS downloaded cofing to guide us on the PAN side. Now when I change the ike and ipsec settings to different ciphers, say from aes128 to aes256 the tunnel stays up and is extablished but we cannot pass traffic.
Anyone else run into this?
Thanks in advance!
What version of PAN-OS software are you running on the firewall? is a it a VM-Series firewall or a physical firewall?
On our side we are running a physical PAN with 8.0.14 code. On the AWS side its the built in AWS connectors.
I've never seen any issue like that with our VM-Series firewalls. I don't deal with the Physical firewalls but the IPsec/IKE enginee should be the same.
Have you tried clearing the tunnel and reestabling the IPsec tunnel? if so and that didn't resolve the issue I would suggest opening up a case with support.
Thanks for the suggestion. It didnt worl so I opened a support case. I'll post the solution when we find one.
Ok so wierd settings, who knows where the real issue is since AWS is a blackbox.
These are OK as aes-256-cbc, sha256, DH group14
aes-256-cbc, sha1, DH group 14.
So it was the SHA version on the IPSec config that was causing the issues. Wont do sha256 but still estabilishes the tunnel.
Gotta love interoperatability....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!