06-04-2014 12:51 PM
When trying to configure a site to site VPN tunnel from a PA 3020 to a Cisco 5505 firewal I am getting th following messages on the Cisco firewall
received encrypted packet with no matching sa dropping
all ipsec proposals found unacceptable
06-04-2014 12:57 PM
Hello Infotech,
Could you please clear the IKE and IPSec security association (SA) on both firewalls and then initiate the tunnel once again.
For example, in PAN FW:
clear vpn ike-sa gateway XXXXX
Delete IKEv1 IKE SA: Total 1 gateways found.
> clear vpn ipsec-sa tunnel XXXXXX
Delete IKEv1 IPSec SA: Total 1 tunnels found.
> test vpn ike-sa gateway XXXXXX
Initiate IKE SA: Total 1 gateways found. 1 ike sa found.
> test vpn ipsec-sa tunnel XXXXXX
Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.
Also, verify if there are any IKE session in discard state between the gateways.
Thanks
06-04-2014 01:46 PM
I cleared on the PA side but have to lookup how to do it on the Cisco side
This is what I got when I did the test vpn ipsec-sa tunnel
Initiate IPSec SA: Total 12 tunnels found. 12 ipsec sa found.
06-04-2014 09:23 PM
Looks like you might have mismatch between the proposals configured between the two devices . Make sure the proposals chosen on both sides are matching ( Encryption, Authentication, DH Group , life time and life size)
06-05-2014 05:57 AM
That was my first thought and I could be missing something but they look the same as far as I can tell. It looks like to me it is failing on phase 2 any suggestion on where else to look on the PA or the Cisco I would appreciate
06-05-2014 06:18 AM
Have you reviewed the IKE log on the 3020
from the CLI
less mp-log ikemgr.log
What do you have set for your proxy-ids on your 3020?
06-05-2014 06:25 AM
Here is the result of running less mp-log ikemge.log
2014-06-04 21:11:32 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====
2014-06-04 21:11:42 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====
2014-06-04 21:11:45 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=69d80199e1a26574 e572d79797571b2d (size=16).
2014-06-04 21:11:52 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====
2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x17F5E673 <==== Due to negotiation timeout.
2014-06-04 21:12:01 [INFO]: IPsec-SA request for 66.94.196.108 queued since no phase1 found
2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:0000000000000000 <====
2014-06-04 21:12:01 [INFO]: received Vendor ID: FRAGMENTATION
2014-06-04 21:12:01 [INFO]: received Vendor ID: CISCO-UNITY
2014-06-04 21:12:01 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2014-06-04 21:12:01 [INFO]: received Vendor ID: DPD
2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 lifetime 28800 Sec <====
2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x23521A9E <====
2014-06-04 21:12:01 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=880e62bac918006c 454780c80ace55a4 (size=16).
2014-06-04 21:12:02 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====
2014-06-04 21:12:02 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====
2014-06-04 21:12:02 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====
2014-06-04 21:12:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=25802d7bf6eca062 ba158c53d96c1487 (size=16).
2014-06-04 21:12:12 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====
2014-06-04 21:12:22 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====
2014-06-04 21:12:31 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x23521A9E <==== Due to negotiation timeout.
2014-06-04 21:12:32 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====
2014-06-04 21:12:32 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====
2014-06-04 21:12:40 [INFO]: IPsec-SA request for 66.94.196.108 queued since no phase1 found
2014-06-04 21:12:40 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:0000000000000000 <====
2014-06-04 21:12:40 [INFO]: received Vendor ID: FRAGMENTATION
2014-06-04 21:12:40 [INFO]: received Vendor ID: CISCO-UNITY
2014-06-04 21:12:40 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2014-06-04 21:12:40 [INFO]: received Vendor ID: DPD
2014-06-04 21:12:40 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 lifetime 28800 Sec <====
2014-06-04 21:12:40 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xA0ED9187 <====
2014-06-04 21:12:40 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=588677c88a7381ca ed7b7952f6d3b488 (size=16).
2014-06-04 21:12:41 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 <====
2014-06-04 21:12:51 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 <====
2014-06-04 21:13:01 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 <====
2014-06-04 21:13:10 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xA0ED9187 <==== Due to negotiation timeout.
2014-06-04 21:13:11 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
0%
06-05-2014 06:49 AM
Phase 2 Mismatch
notification message 14:NO-PROPOSAL-CHOSEN
What is the transform set on the ASA for this network?
What is your corresponding IPSEC policy on the 3020?
Sample IPSec Tunnel Configuration - Palo Alto Networks Firewall to Cisco ASA
06-05-2014 07:01 AM
What is the transform set on the ASA for this network? ESP-AES-256-SHA (IKEv1) PFS-group1 (looking in the crypto maps)
What is your corresponding IPSEC policy on the 3020? ESP-AES-Sha1 (ipsec crypto)
06-05-2014 07:24 AM
IPSEC Crypto Profile on PA defaults to group-2 (group 1, group-2, group-5 and group-14 are available)
The ASA is indicating group 1
06-05-2014 07:36 AM
I have the ipsec crypto set to group 1
06-05-2014 08:03 AM
From the 3020 CLI - please provide the output for your profile configured for IPSEC
set cli config-output-format set
configure
show network ike crypto-profiles ipsec-crypto-profiles
from the ASA
gather the line that starts with crypto ipsec transform-set that is configured for the crypto map
Thanks
06-05-2014 08:16 AM
Here is from the PA
[edit]
admin@PA-3020_DR# show network ike crypto-profiles ipsec-crypto-profiles profiles
[edit]
admin@PA-3020_DR# show network ike crypto-profiles ipsec-crypto-profiles
set network ike crypto-profiles ipsec-crypto-profiles default esp encryption [ aes128 3des ]
set network ike crypto-profiles ipsec-crypto-profiles default esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles default dh-group group2
set network ike crypto-profiles ipsec-crypto-profiles default lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile dh-group group1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto dh-group group1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 dh-group group1
[edit]
admin@PA-3020_DR#
Cisco - I am not 100% sure what you are asking me to do here so I just look in the ASDM under site to site vpn\configuration cryptop maps
transform set ikev1 ESP-AES-256-SHA
06-05-2014 10:48 AM
On the ASA CLI or the configuration output I was looking for the assigned transform set
Which of the crypto profiles on the 3020 is assigned to the VPN that is having issues
06-05-2014 12:38 PM
right now its this one
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto lifetime hours 1
But I also tried this one too
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 dh-group group1
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
