08-12-2014 03:27 PM
Hi,
I'm having a hard time bringing up a VPN tunnel from my PA-5020 to a Cisco firewall. I'm getting the following:
'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 10.13.247.43/32 type IPv4_address protocol 0 port 0, received remote id: 192.168.10.200/32 type IPv4_address protocol 0 port 0.'
My search indicates that it's a mismatch with the Cisco firewall ACL. Would I be correct in assuming that their ACL references address protocol 0 port 0 instead of the specific ports we agreed upon during the design?
Thanks.
08-22-2014 11:23 AM
Sorry for the late reply. Missing proxy-ID was the problem. Fixed now. Thank you!
08-12-2014 03:40 PM
Hello przyboro,
Generally speaking, most of the customer refers only local and remote subnet. As per the logs, please ensure that PAN is configured with Local PROXY ID as 192.168.10.200/32 and remote PROXY ID as 10.13.247.43/32. Please find below an example:
Notes: If you have specified any port and protocol in Cisco ACL, then only, it is required to add on PAN firewall.
Hope this helps.
Thanks
08-13-2014 12:34 PM
Thank you for this information. I will be testing this out shortly.
08-22-2014 11:23 AM
Sorry for the late reply. Missing proxy-ID was the problem. Fixed now. Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
