- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-05-2018 04:40 PM
First thing,
I know there are postings about this out on the web and community about this. The problem I'm having is everything out there is on old ASA code.
I'm trying to understand the configuration on the PA. I have my tunnel interface configured, IKE Crypto, IPSec Crypto, IKE Gateway, and IPSec Tunnel. I can't get the Phase 1 to come up. I've verified the DH Groups, Authentication, and Encryption setting are the same on both sides. Can someone point me in a direction where they think my problem might be?
Thanks for any help given,
04-06-2018 08:30 AM
Did you verify that your proxy-ids are setup correctly. As @santonic stated logs would be the thing that will tell you what's actually happening.
04-06-2018 08:31 AM
I'll be pulling those soon.
04-06-2018 08:35 AM
So that's one of the things I was needing to understand.
Am I creating a PID for every host that has access over the tunnel?
Or does a subnet range work for this?
On the ASA side I have an ACL just allowing a few host to access the tunnel.
04-06-2018 08:45 AM
Cisco is policy-based while the Palo Alto is route-based. The Palo Alto is essentially defaulting to 0.0.0.0/0 source and 0.0.0.0/0 destiantion. If they don't match things aren't going to form correctly. You can use a network range as long as that's what the ASA is sending; if they don't match you'll still have an issue.
04-06-2018 08:54 AM
Initiate vpn traffic from ASA side and check logs on Palo.
Monitor > System
If you can't identify issue yourself then share logs here.
04-08-2018 11:57 PM
ACL for crypo-map on Cisco and Proxy IDs on PA must match for VPN to work. While PA isn't too strict about exact matches, policy based FWs like ASA usually are.
But check logs first, you will find the answer there.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!