For details on cookie usage on our site, read our Privacy Policy
IPSec VPN phase2 partial up
- LIVEcommunity
- Discussions
- General Topics
- IPSec VPN phase2 partial up
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-22-2021 07:48 AM
hello everyone
I have a IPSec tunnel with Cisco ASA, and the proxy-id config is:
entry1: local 1.1.1.1 remote 2.2.2.2
entry2: local 1.1.1.1 remote 2.2.2.3
The very annoying things the phase2 is partial UP, when "show vpn flow", either entry1 is active and entry2 is inactive OR entry2 is active or entry1 is inactive.
Is this due to the incorrect config in somewhere?
Thanks
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-23-2021 06:23 AM
the palo told me that the DH group for the phase2 needs to use group 20 with Cisco while have multiple proxy-id, I was using group5.
The issue was gone after changing to group 20.
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-22-2021 08:49 AM
Hi @DongQu ,
Most probably you don't have constant traffic running for both remote networks.
If you see both active at different time this means negotiation is successfull for both and if there is real traffic tunnel should be fine.
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-22-2021 06:40 PM
hi @Astardzhiev
I tried to use "test vpn ipsec-sa tunnel" to Initiate the IPSec SA, after 1 of them getting "active", the other 1 cannot get up anymore.
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-23-2021 12:24 AM - edited 04-23-2021 12:29 AM
First your proxy id seems wrong as it should be the private sybnets that are internal for the firewalls (also check the ipsec timers if they match like the "lifetime"):
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ3CAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE6CAK
If you still have issue:
%%%%%%%%%%%%%%%%%%%%%%%
Can you make the Palo Alto the responder as this way you will get more data in the GUI System log (or Globalprotect log in newer version)?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0
Also you can do a debug on the ikemgr:
> debug ike global on debug
> less mp-log ikemgr.log
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
Also check if DPD is disabled as maybe the ASA may have issues with it and test without it.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK
%%%%%%%%%%%%%%%%%%%%%%%%
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-23-2021 06:23 AM
the palo told me that the DH group for the phase2 needs to use group 20 with Cisco while have multiple proxy-id, I was using group5.
The issue was gone after changing to group 20.
- Create site to site VPN tunnel PA-850 in Configuration Wizard Discussions
- IpSec Tunnel Phase2 Red But Ike Side Green in General Topics
- Rekey causes VPN tunnel to stop sending network traffic in VM-Series in the Public Cloud
- AWS IPSec VPN Issue while migrating from PA-5020(HA-8.1.15-h3) to PA-5220(HA-8.1.15-h3) Firewalls in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
