10-05-2022 10:41 AM
Hey all,
Long time reader, first-time poster here!
I'm slowly migrating all my Cisco ASA VPN tunnels to my PAs running 8.1.5 (planning to upgrade) and I'm using Panorama 10.0.10 to do this. Everything seems to be going okay except I have a few tunnels that have PFS disabled and no DH group assigned on my Cisco ASA. These tunnels are up and functioning on the Cisco ASA, but I can't seem to get the configuration to commit when I attempt to create the tunnel on the PA with no DH group under network profiles >IKE Crytpo.
I receive a validation error and the commit fails and the setting doesn't get pushed to the firewalls.
I've reached out to support and they suggest adding a DH group, but I'll need to coordinate with these vendors to do so, so I was hoping there was a way around this.
Thanks in advance,
Kevin
10-05-2022 02:31 PM
Hi @KevinMedeiros ,
Thanks for posting! To my knowledge a DH group is necessary to complete the IKE crypto configuration. We aren't able to click Ok if it isn't specified.
10-05-2022 06:23 PM
I've ran into this in a few migrations, and unfortunately the answer really is to get the vendor to update things on their end as you migrate things. I've had a few instances where we needed to keep an ASA in the mix for a bit as we worked through getting all of the B2B tunnels migrated. Wish I had a better answer for you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
