IKE phase 2 failing with an asa5505
cancel
Showing results for 
Search instead for 
Did you mean: 

IKE phase 2 failing with an asa5505

L3 Networker

Message =

IKE phase-1 negotiation is succeeded as initiator, main mode. Established SA:

IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA:

IKE protocol notification message received: INVALID-ID-INFORMATION (18).

1 ACCEPTED SOLUTION

Accepted Solutions

L6 Presenter

Hi,

Confirm we have the correct local and remote proxy Id's from the ASA configured on the PAN.
If we can get the tunnel to be initiated from the ASA the PAN system logs should give us more detail as to the configuration option we need to adjust.

*Proxy id's are needed when building a tunnel to other devices that use policy based VPN, we use route based vpn's

*There would have to be a proxy id entry for each network

Here's an example of PAN to ISA config:

https://live.paloaltonetworks.com/docs/DOC-1328

-Renato   

View solution in original post

8 REPLIES 8

L6 Presenter

Hi,

Confirm we have the correct local and remote proxy Id's from the ASA configured on the PAN.
If we can get the tunnel to be initiated from the ASA the PAN system logs should give us more detail as to the configuration option we need to adjust.

*Proxy id's are needed when building a tunnel to other devices that use policy based VPN, we use route based vpn's

*There would have to be a proxy id entry for each network

Here's an example of PAN to ISA config:

https://live.paloaltonetworks.com/docs/DOC-1328

-Renato   

View solution in original post

L4 Transporter

Also, get the ASA5505 administrator to confirm he hasn't done soemthing "funky' with the tunnel name.

There's a "feature" in Cisco firewalls which require the tunnel ID ont he PIX/ASA to be the IP address of the remote end - just the IP address, *not* a name or anything else - or else phase 2 fails.

This one bit me in the backside badly in a past life.

Cheers.

L4 Transporter

I have found in previous tests I need to set the exchange mode to aggressive mode.

Then, even though aggressive mode expects the IP address as the authentication, Cisco will send an FQDN instead.

This command might give you some more info :

less mp-log ikemgr.log (see whole log)

tail mp-log ikemgr.log (go to end of log)

tail follow yes mp-log ikemgr.log (show log in real time)

There are further CLI commands to check the VPN status in the VPN config/tech note docs.

Thanks

James

Thanks, I set up the proxies and the tunnel is up.

Now I think I may have a nat issue.

Any NAT configs on hand for asa<->pan?

Thanks.

Hi Bill,

How did you set up the proxies? I got the same error between PAN4020 and ASA5510

Thanks.

Leo

lle@socccd.edu

IPSec tunnel.

Show advanced options

select the correct IKE Gateway, under IPSec Crypto Profile add a Proxy ID with the Local ID  being either a subnet or device IP that you are allowing access to on the PAN side and a Remote ID being either a subnet or device IP on the ASA side.

FYI

There's limit of 10 Proxy per tunnel.

Thank you  Bill,

It works for me.

Leo

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!