This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA to ASA Proxy-ID Mismatch

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA to ASA Proxy-ID Mismatch

Go to solution
cenduit_jgolden
L1 Bithead

‎03-30-2018 07:07 AM - edited ‎03-30-2018 10:15 AM

Hi all,

 

We have a standard IPSec tunnel one of our smaller sites with a strange issue related to the Proxy-IDs defined on the PA side of the tunnel. Our ASA side (10.7.0.0/16) is set to inherit all policy settings from the PA side, and our PA defines the "policies" with the Proxy-ID. Normal behavior with a policy based firewall (ASA) and a route based firewall (PA). 

 

The issue is that while two of the networks defined on the PA side Proxy IDs are match the tunnel details on the ASA, the third network does not. Traffic from the 10.0.0.0/8 and 192.168.0.0/16 supernets is allowed over the tunnel without issue; however, the 172.16.0.0/12 supernet shows up on the ASA's as a smaller, but valid, subnet within the 172.16.0.0/12 supernet and only to one specific host. This is preventing anything in our 172 networks from accessing the site due to a mismatch in the negotiated session.

A quick note. Our PA is using SW version 7.1.10. In this version, we have seen some "ghosting" where some changes are not properly removed from the config file; as in objects still existing after removal, routes existing after removal, etc, so this may be related. We are upgrading this OS during our next maintenance window to 7.1.16.

 

Screenshots are below. I have also used proxy-ID local 0.0.0.0/0 but the results remain unchanged. 

 

PA_Proxy-ID_Details.PNGAll of the networks match the PaloAlto Proxy-IDs except for the 172 network.All of the networks match the PaloAlto Proxy-IDs except for the 172 network.ASA_Ses_Details.PNG

 Thank you!

 

- Edit: a word

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Remo
L7 Applicator

‎03-30-2018 10:12 AM - edited ‎03-30-2018 10:13 AM

Hi @cenduit_jgolden


Probably the only solution for you is upgrading to something higher than 7.1.10. The issue you are facing is fixed in 7.1.11.

 

PAN-77127
Fixed an issue where the firewall reduced the range of local and remote
IKEv2 traffic selectors in a way that disrupted traffic in a VPN tunnel
that a Cisco Adaptive Security Appliance (ASA) initiated.


So upgradin to 7.1.16 is a good idea, that will solve the issue.

(https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-11-addresse...).

 

Another workaround would be changing the tunnel to IKEv1.

 

(Ok, there is a very little chance that you have found another problem, but I am pretty sure that your issue is fixed after the upgrade becaue I had exactly the same issue a while ago)

 

Regards,

Remo

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
Remo
L7 Applicator

‎03-30-2018 10:12 AM - edited ‎03-30-2018 10:13 AM

Hi @cenduit_jgolden


Probably the only solution for you is upgrading to something higher than 7.1.10. The issue you are facing is fixed in 7.1.11.

 

PAN-77127
Fixed an issue where the firewall reduced the range of local and remote
IKEv2 traffic selectors in a way that disrupted traffic in a VPN tunnel
that a Cisco Adaptive Security Appliance (ASA) initiated.


So upgradin to 7.1.16 is a good idea, that will solve the issue.

(https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-11-addresse...).

 

Another workaround would be changing the tunnel to IKEv1.

 

(Ok, there is a very little chance that you have found another problem, but I am pretty sure that your issue is fixed after the upgrade becaue I had exactly the same issue a while ago)

 

Regards,

Remo

0 Likes Likes

Go to solution
cenduit_jgolden
L1 Bithead
In response to Remo

‎03-30-2018 10:16 AM

Thanks for the insight Remo. I'll monitor this and update the post once we have upgraded.

 

Cheers!

 

-josh

0 Likes Likes

Go to solution
cenduit_jgolden
L1 Bithead
In response to Remo

‎04-24-2018 09:22 AM

Hi Remo,

 

After updating our firewall cluster to 7.1.16, the issue with ProxyID mismatch has been resolved. Thanks for the help!

 

-josh

0 Likes Likes
  • 1 accepted solution
  • 5723 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks