11-09-2011 04:25 AM
I can complete phase 1 but then the tunnel terminates without a message witch would help me to find the problem.
2011-11-09 13:20:51 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, AGGRESSIVE MODE <====
====> Initiated SA: 77.73.243.180[500]-178.83.248.50[55010] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7 <====
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-11-09 13:20:51 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-11-09 13:20:51 [INFO]: received Vendor ID: RFC 3947
2011-11-09 13:20:51 [INFO]: received Vendor ID: FRAGMENTATION
2011-11-09 13:20:51 [INFO]: received Vendor ID: DPD
2011-11-09 13:20:51 [INFO]: received Vendor ID: CISCO-UNITY
2011-11-09 13:20:51 [INFO]: Selected NAT-T version: RFC 3947
2011-11-09 13:20:51 [INFO]: Adding remote and local NAT-D payloads.
2011-11-09 13:20:51 [INFO]: Hashing 178.83.248.50[55010] with algo #2
2011-11-09 13:20:51 [INFO]: Hashing 77.73.243.180[500] with algo #2
2011-11-09 13:20:51 [PROTO_ERR]: ignore information because ISAKMP-SA has not been established yet.
2011-11-09 13:20:51 [INFO]: Hashing 77.73.243.180[4500] with algo #2
2011-11-09 13:20:51 [INFO]: NAT-D payload #0 doesn't match
2011-11-09 13:20:51 [INFO]: Hashing 178.83.248.50[55060] with algo #2
2011-11-09 13:20:51 [INFO]: NAT-D payload #1 doesn't match
2011-11-09 13:20:51 [INFO]: NAT detected: ME PEER
2011-11-09 13:20:51 [INFO]: Sending Xauth request
2011-11-09 13:20:51 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, AGGRESSIVE MODE <====
====> Established SA: 77.73.243.180[4500]-178.83.248.50[55060] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7 lifetime 3600 Sec <====
2011-11-09 13:21:51 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 77.73.243.180[4500]-178.83.248.50[55060] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7i <====
2011-11-09 13:21:51 [INTERNAL_ERR]: ASSERT FAILED: (iph1->status == PHASE1ST_ESTABLISHED)
2011-11-09 13:21:51 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 77.73.243.180[4500]-178.83.248.50[55060] cookie:f170f45f0119ad13:b32d0b9e1e6e49e7i <====
The clients terminates after the Established SA with vpn error. What could be the problem?
11-10-2011 01:45 AM
Have you got a tick in the "skip auth on IKE rekey" option? if its selected try unselecting it and retry your connection. This is under the GP gateway screen general tab and belpw the group password fields.
Rod
11-11-2011 12:29 AM
Dosn't make a difference...same problem.
11-11-2011 02:05 AM
What means this error?
[INTERNAL_ERR]: ASSERT FAILED: (iph1->status == PHASE1ST_ESTABLISHED)
On my pa500 everything is working on the pa2050 nothing works out of the box. The Portal dosn't work on the external interface...had to use loopback plus nat rules...and now xauth dosn't work too...getting pretty frustated.
11-11-2011 06:22 AM
I never got Shrew working, (didn't put that much effort in to it either). VPNC works like a charm though. I actually prefer VPNC as it is integrated with NetworkManager (I'm on a Ubuntu box).
Simply put in the following in the client:
Gateway: globlaprotect.company.com
Username (Most cases your LDAP/AD user account authenticating with Kerberos/LDAP)
Group name: sharedusername (xauth shared user in Palo)
Group Passwd:
Encryption Standard
NATT: Enabled
xAuth enabled, IPsec enabled, Skip Ike rekey = Palo Alto side of things.
11-11-2011 01:21 PM
@mccue:
question: are you using NAT-T? If so can you turn it off and try again?
Thanks,
Benjamin
11-13-2011 11:53 PM
Yes I use Nat-t and the funny thing again is, it works with my other customer. He is using a PA500..everything works on that pa500 where nothing seems to work on the pa2050.
I realy don't get it..the only difference in the config is that the customer on the pa500 has no inside nat on the external ip, where the customer on the pa2050 has inside nat on the ip..but not on port 80.443. 500, 4500. So it should not conflict...but then still i can't setup the gateway on the external interface directly (well i can but it is not reachable). And over a loopback interface it dosn't work somehow....
11-15-2011 04:54 PM
Mcue,
This issue is targeted to be fixed in 4.1.1.
Thanks
11-23-2011 01:31 AM
Is this a problem on the pa2050?
Globalprotect and everything works but from a ipad the ike phase1 goes trough but then no authentication starts.
11-23-2011 04:40 PM
@gsteiner:
my team and I did some testing in our lab last night running 4.1.0 PAN-OS on a 2050. We had no trouble connecting an iPad2 running iOS version 4.3.5 (8L1) to our 2050 Global Protect Gateway, authenticating and accessing resources behind the 2050. iPad was using WiFi (not 3G mobile/cellular).
-Benjamin
11-24-2011 03:32 AM
any idea where the problem could be? Ike Phase1 completes but then phase2 dosn't start, it just stays there till timeout.
Globalprotect and even Shrew Soft VPN is now working.
is there a log which i could monitor? i used
tail follow yes mp-log ikemgr.log
and
tail follow yes mp-log authd.log
but in the authd.log nothing comes up.
ipad version 5.0.1 (9a405)
btw. I use PSK
11-24-2011 04:02 AM
could this be a problem?
Nov 24 12:59:27 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile Auth-Seq not found in sequence or profile db.
Nov 24 12:59:27 pan_authd_get_lock_cfg(pan_authd_ops.c:441): Auth Seq __dummy_%_admin_%_profile__ found. Max attempts=0, lockseconds=0.
Nov 24 12:59:27 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile AUTH-SEQUENCE not found in sequence or profile db.
Nov 24 12:59:27 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile AUTH-SEQUENCE not found in sequence or profile db.
Nov 24 13:00:25 cfgagent_opcmd_callback(pan_cfgagent.c:344): authd: cfg agent received op command from server
Nov 24 13:00:25 cfgagent_doop_callback(pan_cfgagent.c:378): received sigal to execute <operations xml="yes" type="union" handler="show_lockedusers_handler"><show type="union"><authentication type="union"><locked-users type="sequence"><is-seq type="enum">yes</is-seq></locked-users></authentication></show></operations>
Nov 24 13:00:52 cfgagent_opcmd_callback(pan_cfgagent.c:344): authd: cfg agent received op command from server
Nov 24 13:00:52 cfgagent_doop_callback(pan_cfgagent.c:378): received sigal to execute <request cmd="op" complete="/operations/set/management-server/unlock/admin" cookie="4985870072261854" handler="admin_unlock_complete_handler"/>
Nov 24 13:00:52 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile Auth-Seq not found in sequence or profile db.
Nov 24 13:00:52 pan_authd_get_lock_cfg(pan_authd_ops.c:441): Auth Seq __dummy_%_admin_%_profile__ found. Max attempts=0, lockseconds=0.
Nov 24 13:00:52 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile AUTH-SEQUENCE not found in sequence or profile db.
Nov 24 13:00:52 pan_authd_get_lock_cfg(pan_authd_ops.c:449): Profile AUTH-SEQUENCE not found in sequence or profile db.
11-24-2011 11:21 PM
Could it be that the Problem is Nat-t ? When I use Shrewsoft vpn client and turn off nat-t it is working, when i turn it on it dosn't work.
11-28-2011 12:09 PM
Hi,
We have one issue related to NAT-T which will be fixed in 4.1.1. For your issue I would suggest you to open up a support case so that we can review the log/debug information to determine if the issue you are seeing is the one which is going to be fixed or if this issue is a different one.
Thanks
12-18-2011 11:36 PM
Still the same issue, I can connect with the same IPAD to a PA500 running 4.1.0 but not to the PA2050 with 4.1.1
Shrew Soft VPN work with Nat-T or not on the PA500, but it dosn't work with Nat-T Port 4500 on the PA2050. It works only without Nat-t on the PA2050
Please this issue is bugging now for to long, i opened two ticket and they told me this is fixed in 4.1.1 and now the problem is still there..Am I realy the only one with this issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
