03-02-2011 01:01 PM
Message =
IKE phase-1 negotiation is succeeded as initiator, main mode. Established SA:
IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA:
IKE protocol notification message received: INVALID-ID-INFORMATION (18).
03-02-2011 01:53 PM
Hi,
Confirm we have the correct local and remote proxy Id's from the ASA configured on the PAN.
If we can get the tunnel to be initiated from the ASA the PAN system logs should give us more detail as to the configuration option we need to adjust.
*Proxy id's are needed when building a tunnel to other devices that use policy based VPN, we use route based vpn's
*There would have to be a proxy id entry for each network
Here's an example of PAN to ISA config:
https://live.paloaltonetworks.com/docs/DOC-1328
-Renato
03-02-2011 01:53 PM
Hi,
Confirm we have the correct local and remote proxy Id's from the ASA configured on the PAN.
If we can get the tunnel to be initiated from the ASA the PAN system logs should give us more detail as to the configuration option we need to adjust.
*Proxy id's are needed when building a tunnel to other devices that use policy based VPN, we use route based vpn's
*There would have to be a proxy id entry for each network
Here's an example of PAN to ISA config:
https://live.paloaltonetworks.com/docs/DOC-1328
-Renato
03-02-2011 02:03 PM
Also, get the ASA5505 administrator to confirm he hasn't done soemthing "funky' with the tunnel name.
There's a "feature" in Cisco firewalls which require the tunnel ID ont he PIX/ASA to be the IP address of the remote end - just the IP address, *not* a name or anything else - or else phase 2 fails.
This one bit me in the backside badly in a past life.
Cheers.
03-02-2011 02:31 PM
I have found in previous tests I need to set the exchange mode to aggressive mode.
Then, even though aggressive mode expects the IP address as the authentication, Cisco will send an FQDN instead.
This command might give you some more info :
less mp-log ikemgr.log (see whole log)
tail mp-log ikemgr.log (go to end of log)
tail follow yes mp-log ikemgr.log (show log in real time)
There are further CLI commands to check the VPN status in the VPN config/tech note docs.
Thanks
James
03-03-2011 11:53 AM
Thanks, I set up the proxies and the tunnel is up.
Now I think I may have a nat issue.
Any NAT configs on hand for asa<->pan?
Thanks.
09-28-2011 09:20 AM
Hi Bill,
How did you set up the proxies? I got the same error between PAN4020 and ASA5510
Thanks.
Leo
09-28-2011 09:37 AM
IPSec tunnel.
Show advanced options
select the correct IKE Gateway, under IPSec Crypto Profile add a Proxy ID with the Local ID being either a subnet or device IP that you are allowing access to on the PAN side and a Remote ID being either a subnet or device IP on the ASA side.
09-29-2011 06:36 AM
FYI
There's limit of 10 Proxy per tunnel.
09-29-2011 10:21 AM
Thank you Bill,
It works for me.
Leo
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
