IKE phase 1 not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IKE phase 1 not working

L2 Linker

I'm trying to setup a site-to-site VPN between Palo 820 and a Cisco ASA.

 

I've checked the configs and both are matching OK with correct PSK. I've configured the proxy IDs accordingly. I don't have access to the Cisco ASA as this is on the customer side however they sent me the config so I can confirm that crypto settings, psk are matching.

 

The issue is that the initial IKE phase 1 is not coming up at all. Everything is red under Network-> IPSec tunnels.

 

I've done a packet capture on the outside interface and I can see the inbound IKE_SA_INIT packet hitting the firewall. However I don't see any packet leaving the firewall responding to this...


I have a security policy, first entry, allowing OUTSIDE source ASA_TUNNEL_PUBLIC_IP to OUTSIDE PALO_PUBLIC_IP. This rule allows ALL service types, so is not blocking IKE or IPSec. I can see that this rule is being hit and the traffic is allowed. This should be allowing the negotiation to take place to bring up the tunnel.

 

In monitor -> system I'm seeing the following but It gives me no information if this is referring to the the IKE gateway that i'm troubleshooting (it is the only IKE gateway configured on the firewall).

 

2023/03/20 13:37:17 info routing routed- 0 Route daemon configuration load phase-2 succeeded.
2023/03/20 13:37:17 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2023/03/20 13:37:17 info ras rasmgr- 0 RASMGR daemon configuration load phase-2 succeeded.
2023/03/20 13:37:17 info satd satd-co 0 SATD daemon configuration load phase-2 succeeded.
2023/03/20 13:37:17 info sslmgr sslmgr- 0 SSLMGR daemon configuration load phase-2 succeeded.

 

If the above is true then the tunnel should be up. But it isn't...

 

Also on the cli "show vpn ike-sa" shows nothing. I've also run a global debug on IKE and when viewing ikemgr.log I don't have anything at all useful pointing to what the issue could be.

 

Any Ideas?

2 REPLIES 2

L2 Linker

Also, If i do test vpn ike-sa gateway "name of gateway" nothing happens. I do not see any traffic being sent when doing a packet capture on the outside interface and looking at the "transmit" phase.

Where does the Palo source the traffic from when testing the gateway? I'm assuming from the outside interface as specified in the IKE Gateway config? So I'm confused as to why I'm not seeing anything leaving the firewall

L2 Linker

Going to reply here for someone else that perhaps makes the same absolute rookie mistake as I did.

 

Make sure that your IPSec Tunnel is actually enabled!!! The only indication in the GUI is that the text is slightly greyed out.

 

Once I'd enabled it. Boom. Everything came up.

  • 4101 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!