IPSEC vpn between cisco 2900 and PAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSEC vpn between cisco 2900 and PAN

L2 Linker

Hi everyone, 

 

I'm trying to setup a route based IPSEC tunnel between my PAN 3020 and Cisco 2900 router.  I'm getting a parameter mismatch on on the ipsec lifesize parameter and don't know how to fix it.

 

The Cisco peer appears to be wanting a lifesize setting of 4608000KB but the PAN won't let you set it that high. I've tried setting it with the equivalent MB setting on the PAN but I'm still getting the mismatch.  Does anyone know how to change this setting on the Cisco side?  I can't seem to find the right command.

 

This is what I see on the PAN. I am not the admin for the Cisco router.

 

Any ideas?

 

2021-09-10 16:36:10.645 -0500 [PNTF]: { 2: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: <redacted>[500]-<redacted>[500] message id:0x4B3D3BCC <====
2021-09-10 16:36:10.646 -0500 [PNTF]: { 2: 11}: simultaneous phase-2 rekey request detected, peer is not PANOS. delay processing this new request(isakmp message-id 0x4B3D3BCC).
2021-09-10 16:36:10.646 -0500 [PERR]: { : 11}: lifesize 4608000 KB
2021-09-10 16:36:10.646 -0500 [PERR]: { : 11}: not matched
2021-09-10 16:36:10.646 -0500 [PERR]: { : 11}: no suitable policy found.
2021-09-10 16:36:10.646 -0500 [ERR ]: { : 11}: failed to pre-process packet.
2021-09-10 16:36:10.703 -0500 [INFO]: { 2: }: IKE ISAKMP KEY_DELETE recvd: cookie:490a0356f9c07229:aaa5e1482371a0a4.
98%

 

 

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Thank you @epeeler for posting question.

 

This is the default value in Cisco IOS: crypto ipsec security-association lifetime kilobytes 4608000

 

In order to change it, please go to configuration mode, then issue: crypto ipsec security-association lifetime kilobytes <2560-4294967295>

 

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

Hey @epeeler ,

 

That is intersting. Up to this point I was living with the impression that lifesize mistmatch should not effect phase negotiation, similar to lifetime.

If lifetime is configured differently on both end of the tunnel, tunnel will be negotiated successfully, but you will experiance some issues with the traffic.

 

While I agree with @PavelK and you should definately fix the mistmatch, I am little sceptic as this is the actual reason for failing tunnel negotiation. In addition using MB on Palo, should be exactly the same, as the IPsec standard is actually using KB, so in the background Palo should convert the MB and sent the equivalent KB.

 

Are you sure all other settings matching phase2 settings? You will notice that Palo support CBC and GCM modes for the encryption algorithms, while I am not sure if Cisco is supporting GCM you may want to check if Palo is using CBC.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Thank you @epeeler for posting question.

 

This is the default value in Cisco IOS: crypto ipsec security-association lifetime kilobytes 4608000

 

In order to change it, please go to configuration mode, then issue: crypto ipsec security-association lifetime kilobytes <2560-4294967295>

 

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

Hey @epeeler ,

 

That is intersting. Up to this point I was living with the impression that lifesize mistmatch should not effect phase negotiation, similar to lifetime.

If lifetime is configured differently on both end of the tunnel, tunnel will be negotiated successfully, but you will experiance some issues with the traffic.

 

While I agree with @PavelK and you should definately fix the mistmatch, I am little sceptic as this is the actual reason for failing tunnel negotiation. In addition using MB on Palo, should be exactly the same, as the IPsec standard is actually using KB, so in the background Palo should convert the MB and sent the equivalent KB.

 

Are you sure all other settings matching phase2 settings? You will notice that Palo support CBC and GCM modes for the encryption algorithms, while I am not sure if Cisco is supporting GCM you may want to check if Palo is using CBC.

L2 Linker

First of all, thank you both for taking the time to respond.  The issue did indeed end up being a  parameter other than lifesize being mismatched.  I had not turned on ike debugging on the PAN and so the messages I was seeing in the log while correct, didn't necessarily correspond to each other.  Once I enabled detailed debugging I could see what the actual mismatch was which ended up being the hash setting for the phase 2 connection.

 

Moral of the story here...even though you're seeing log entries for phase 1 and phase 2 negotiation, if you don't turn on debug for ike, you're not getting the full story.

 

Again, thank you both very much.

  • 2 accepted solutions
  • 4047 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!