Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Proxy ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Proxy ID

L4 Transporter

How can you tell what proxy ID's need to be configured on a PA that has VPN tunnels to a Cisco ASA 5505?

63 REPLIES 63

On the network tab/ipsec tunnels reading the console from left to right which status refers to the ike phase 1 and which refers to the ipsec phase 2 - with regard to the status green/red bubbles

Hi Infortech,

IPsec is configured in passive mode, please disable it. Follow bellow instructions. Let me know if that works.

Network > Network Profiles > IKE Gateway.

VPN_Configure.png

Hello Infotech,

I hope, you have configured the PA to work in Passive mode. But, above mentioned CLI command will initiate the tunnel as an Initiator ( not as responder). It would be better to initiate the tunnel from CISCO and then monitor the ikemgr.logs.

Thanks

HI Info tech,

First one on the left hand side is IPsec, second one is IKE. You can read first line it has tagging for IKE & Tunnel. That helps to verify requested information.

Regards,

Hardik Shah

Yes it is configured in passive mode for testing, I can take it out of passive mode and try again. What difference will it make if its in passive mode?

Yes I put it in passive mode because everything else I have tried to this point has not resolved the issue and it appeared to be failing as the initiator so I was going to let the ASA on the other end initiate

If tunnel is in passive mode than only way to bring it up is to do testing from other end.

Basically it doesnt initiate tunnel, but only accepts tunnel invite. Very passive !!!

Everything I have looked up says you cannot initiate the tunnel from the cisco asa 5505 side, unless I am not reading the correct information

In other words it can accept inbound call, but can not make outbound call Smiley Happy

HI Infotech,

Is there a reason why ASA can not initiate VPN tunnel ?

Regards,

Hardik Shah

Yes I set it that way because the PA  was failing as the initiator and I wanted to see if the cisco was the initiator the tunnel would stay up

I don't know if the cisco can or cannot initiate the tunnel I just don't know a way to manually force it to try to initate the tunnel.

Hello Infotech,

If you try to send traffic through that tunnel (from CISCOside), it will automatically initiate the tunnel and Cisco will become initiator.

Thanks

So do a ping test? Is there a particular way to do that from the cisco side?

Yes, a ping test will work. ( make sure that a valid route available in cisco to force that traffic to go inside the tunnel)

Thanks

  • 14872 Views
  • 63 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!