Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

IPsec VPN with AH generates core files

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPsec VPN with AH generates core files

L1 Bithead

Hi team, 

 

I have two VM-50 v9.01, one in SiteA and another in SiteB. I set up an IPsec tunnel between them with: IKE-v1 : phase1 (aggressive mode)  and phase2 (quick mode) with ESP.  it works fine and I'am able to ping from a vlan in SiteA to another vlan in SiteB . 

I wanted to test AH instead of ESP. However everytime I want to send a ping from SiteA to SiteB, the firewall in SiteB craches and generates a core file. 

If I perform a "test vpn ike-sa gateway mygateway" and "test vpn ipsec-sa myipsec" it works fine and I can see the SA created in both firewall. However when I send a packet from SiteA to SiteB, I can see the packet leaving firewall in SiteA with the apropriate AH header inserted. But as soon as the packet arrives in the firewall in SiteB, it craches. 

 

I can provide pcaps and core files , or anything you may need to help me.

Does anybody try to do the same ? 

Any help would be appriciated 

Many thanks 

2 REPLIES 2

Cyber Elite
Cyber Elite

It would be odd to have two PA devices utilize AH. I would open a ticket with support and see if they can duplicate the issue; it sounds like it may be a bug with 9.0

Hmmm as I said in my description I am in a lab environment and I wanted to test different configuration to make sure that I'm doing things right, I don't think that the support would accept my issue as a "ticket" ... It would be nice if anyone could try to setup AH between two Paloaltos and keep me in touch if it works for him. 

Many thanks,

  • 2613 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!