IKE phase 2 failing with an asa5505

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
LCMember1607
L3 Networker

IKE phase 2 failing with an asa5505

Message =

IKE phase-1 negotiation is succeeded as initiator, main mode. Established SA:

IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA:

IKE protocol notification message received: INVALID-ID-INFORMATION (18).


Accepted Solutions
gswcowboy
L6 Presenter

Hi,

Confirm we have the correct local and remote proxy Id's from the ASA configured on the PAN.
If we can get the tunnel to be initiated from the ASA the PAN system logs should give us more detail as to the configuration option we need to adjust.

*Proxy id's are needed when building a tunnel to other devices that use policy based VPN, we use route based vpn's

*There would have to be a proxy id entry for each network

Here's an example of PAN to ISA config:

https://live.paloaltonetworks.com/docs/DOC-1328

-Renato   

View solution in original post


All Replies
gswcowboy
L6 Presenter

Hi,

Confirm we have the correct local and remote proxy Id's from the ASA configured on the PAN.
If we can get the tunnel to be initiated from the ASA the PAN system logs should give us more detail as to the configuration option we need to adjust.

*Proxy id's are needed when building a tunnel to other devices that use policy based VPN, we use route based vpn's

*There would have to be a proxy id entry for each network

Here's an example of PAN to ISA config:

https://live.paloaltonetworks.com/docs/DOC-1328

-Renato   

View solution in original post

dagibbs
L4 Transporter

Also, get the ASA5505 administrator to confirm he hasn't done soemthing "funky' with the tunnel name.

There's a "feature" in Cisco firewalls which require the tunnel ID ont he PIX/ASA to be the IP address of the remote end - just the IP address, *not* a name or anything else - or else phase 2 fails.

This one bit me in the backside badly in a past life.

Cheers.

James
L4 Transporter

I have found in previous tests I need to set the exchange mode to aggressive mode.

Then, even though aggressive mode expects the IP address as the authentication, Cisco will send an FQDN instead.

This command might give you some more info :

less mp-log ikemgr.log (see whole log)

tail mp-log ikemgr.log (go to end of log)

tail follow yes mp-log ikemgr.log (show log in real time)

There are further CLI commands to check the VPN status in the VPN config/tech note docs.

Thanks

James

LCMember1607
L3 Networker

Thanks, I set up the proxies and the tunnel is up.

Now I think I may have a nat issue.

Any NAT configs on hand for asa<->pan?

Thanks.

leole
L2 Linker

Hi Bill,

How did you set up the proxies? I got the same error between PAN4020 and ASA5510

Thanks.

Leo

lle@socccd.edu

LCMember1607
L3 Networker

IPSec tunnel.

Show advanced options

select the correct IKE Gateway, under IPSec Crypto Profile add a Proxy ID with the Local ID  being either a subnet or device IP that you are allowing access to on the PAN side and a Remote ID being either a subnet or device IP on the ASA side.

friento
L3 Networker

FYI

There's limit of 10 Proxy per tunnel.

leole
L2 Linker

Thank you  Bill,

It works for me.

Leo

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!