PA to Cisco 5505 VPN tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA to Cisco 5505 VPN tunnel

L4 Transporter

When trying to configure a site to site VPN tunnel from a PA 3020 to a Cisco 5505 firewal I am getting th following messages on the Cisco firewall

received encrypted packet with no matching sa dropping

all ipsec proposals found unacceptable

22 REPLIES 22

L7 Applicator

Hello Infotech,

Could you please clear the IKE and IPSec security association (SA) on both firewalls and then initiate the tunnel once again.

For example, in PAN FW:

clear vpn ike-sa gateway XXXXX

Delete IKEv1 IKE SA: Total 1 gateways found.

> clear vpn ipsec-sa tunnel XXXXXX

Delete IKEv1 IPSec SA: Total 1 tunnels found.

> test vpn ike-sa gateway XXXXXX

Initiate IKE SA: Total 1 gateways found. 1 ike sa found.

> test vpn ipsec-sa tunnel XXXXXX

Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

Also, verify if there are any IKE session in discard state between the gateways.

Thanks

I cleared on the PA side but have to lookup how to do it on the Cisco side

This is what I got when I did the test vpn ipsec-sa tunnel


Initiate IPSec SA: Total 12 tunnels found. 12 ipsec sa found.

Looks like you might have mismatch between the proposals configured between the two devices . Make sure the proposals chosen on both sides are matching ( Encryption, Authentication, DH Group , life time and life size)

That was my first thought and I could be missing something but they look the same as far as I can tell. It looks like to me it is failing on phase 2 any suggestion on where else to look on the PA or the Cisco I would appreciate

Have you reviewed the IKE log on the 3020

from the CLI

less mp-log ikemgr.log

What do you have set for your proxy-ids on your 3020?

Here is the result of running less mp-log ikemge.log

2014-06-04 21:11:32 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:11:42 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:11:45 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=69d80199e1a26574 e572d79797571b2d (size=16).

2014-06-04 21:11:52 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====

====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x17F5E673 <==== Due to negotiation timeout.

2014-06-04 21:12:01 [INFO]: IPsec-SA request for 66.94.196.108 queued since no phase1 found

2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:0000000000000000 <====

2014-06-04 21:12:01 [INFO]: received Vendor ID: FRAGMENTATION

2014-06-04 21:12:01 [INFO]: received Vendor ID: CISCO-UNITY

2014-06-04 21:12:01 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2014-06-04 21:12:01 [INFO]: received Vendor ID: DPD

2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====

====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 lifetime 28800 Sec <====

2014-06-04 21:12:01 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x23521A9E <====

2014-06-04 21:12:01 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=880e62bac918006c 454780c80ace55a4 (size=16).

2014-06-04 21:12:02 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:12:02 [INFO]: ====> PHASE-1 SA DELETED <====

====> Deleted SA: 66.94.196.107[500]-66.94.196.108[500] cookie:00299ee1552db716:80142a8d6f5a61d8 <====

2014-06-04 21:12:02 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=25802d7bf6eca062 ba158c53d96c1487 (size=16).

2014-06-04 21:12:12 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:22 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:31 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====

====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x23521A9E <==== Due to negotiation timeout.

2014-06-04 21:12:32 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:32 [INFO]: ====> PHASE-1 SA DELETED <====

====> Deleted SA: 66.94.196.107[500]-66.94.196.108[500] cookie:880e62bac918006c:454780c80ace55a4 <====

2014-06-04 21:12:40 [INFO]: IPsec-SA request for 66.94.196.108 queued since no phase1 found

2014-06-04 21:12:40 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:0000000000000000 <====

2014-06-04 21:12:40 [INFO]: received Vendor ID: FRAGMENTATION

2014-06-04 21:12:40 [INFO]: received Vendor ID: CISCO-UNITY

2014-06-04 21:12:40 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2014-06-04 21:12:40 [INFO]: received Vendor ID: DPD

2014-06-04 21:12:40 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====

====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 lifetime 28800 Sec <====

2014-06-04 21:12:40 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xA0ED9187 <====

2014-06-04 21:12:40 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=588677c88a7381ca ed7b7952f6d3b488 (size=16).

2014-06-04 21:12:41 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 <====

2014-06-04 21:12:51 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 <====

2014-06-04 21:13:01 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:588677c88a7381ca:ed7b7952f6d3b488 <====

2014-06-04 21:13:10 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====

====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xA0ED9187 <==== Due to negotiation timeout.

2014-06-04 21:13:11 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

0%

Phase 2 Mismatch

notification message 14:NO-PROPOSAL-CHOSEN

What is the transform set on the ASA for this network?

What is your corresponding IPSEC policy on the 3020?

Sample IPSec Tunnel Configuration - Palo Alto Networks Firewall to Cisco ASA

What is the transform set on the ASA for this network? ESP-AES-256-SHA (IKEv1) PFS-group1 (looking in the crypto maps)

What is your corresponding IPSEC policy on the 3020? ESP-AES-Sha1 (ipsec crypto)

IPSEC Crypto Profile on PA defaults to group-2 (group 1, group-2, group-5 and group-14 are available)

The ASA is indicating group 1

I have the ipsec crypto set to group 1

From the 3020 CLI - please provide the output for your profile configured for IPSEC

set cli config-output-format set

configure

show network ike crypto-profiles ipsec-crypto-profiles

from the ASA

gather the line that starts with crypto ipsec transform-set that is configured for the crypto map

Thanks

Here is from the PA

[edit]
admin@PA-3020_DR# show network ike crypto-profiles ipsec-crypto-profiles profiles
[edit]
admin@PA-3020_DR# show network ike crypto-profiles ipsec-crypto-profiles
set network ike crypto-profiles ipsec-crypto-profiles default esp encryption [ aes128 3des ]
set network ike crypto-profiles ipsec-crypto-profiles default esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles default dh-group group2
set network ike crypto-profiles ipsec-crypto-profiles default lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles Peoria_IPSec_Profile dh-group group1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto dh-group group1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 dh-group group1
[edit]
admin@PA-3020_DR#

Cisco - I am not 100% sure what you are asking me to do here so I just look in the ASDM under site to site vpn\configuration cryptop maps

transform set ikev1 ESP-AES-256-SHA

On the ASA CLI or the configuration output I was looking for the assigned transform set

Which of the crypto profiles on the 3020 is assigned to the VPN that is having issues

right now its this one

set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto lifetime hours 1

But I also tried this one too

set network ike crypto-profiles ipsec-crypto-profiles Herget_Standard_IPSec_Crypto-1 dh-group group1

  • 8737 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!