S2S VPN Between PA and Cisco ASA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

S2S VPN Between PA and Cisco ASA

L2 Linker

Hello! 

 

I've spent the last 2 days trying to get an IPSec tunnel working between a PAN 200 and Cisco ASA5505 but all my attempts have failed. I am not sure what the issue is and would reall appreciate any assistance to point me in the right direction.

 

This is a very simply setup.  I've configured both sides properly but for some reason the tunnel won't come up. Here are the config of both the PA and ASA: 

 

 

PA 200:

IKE Crypto: IKEPhase1_To_ASA
DH Group: group 2
Authentication: sha1
Encryption: 3des
Key lifetime: 1 day
 
IPsec Crypto: IKEPhase2_To_ASA
DH Group: group 2
Authentication: sha1
Encryption: 3des
Key lifetime: 1 day
Lifesize: 4608MB
 
IKE Gateway: STS_VPN_To_ASA
Version: IKEv1 only mode
Interface: e1/1
Peer IP Address: 172.16.200.1
PSK: cisco
Local Id: 172.16.200.2
Peer Id: 172.16.200.1
IKEv1 Exchange Mode: main
 
IKE Crypto Profile: IKEPhase1_To_ASA
IPSec Tunnel
Tunnel Interface: tunnel.2
Type: Auto Key
IKE Gateway: STS_VPN_To_ASA
IPSec Crypto Profile: IKEPhase2_To_ASA
Proxy IDs: ASA_LAN_TO_LAN
Local: 10.48.11.150/24
Remote: 192.168.1.200/24
 
VR1:
Static Route
Destination 192.168.1.0/24
Interface: tunnel.2

System Monitor Logs:
IKE phase-1 SA is expired SA: 172.16.200.2[500]-172.16.200.1[5] cookieL 19e72...

 
=============================================================================
 
ASA 5505: 

asa-01# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname asa-01
 
 
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan100
nameif outside
security-level 0
ip address 172.16.200.1 255.255.255.0
!
interface Vlan200
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 100
!
interface Ethernet
!
ftp mode passive
access-list ALLOWED_TRFC_TO_PAN extended permit ip 192.168.1.0 255.255.255.0 10.48.11.0 255.255.255.0
access-list ALLOWED_TRFC_TO_PAN extended permit icmp 192.168.1.0 255.255.255.0 10.48.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.48.11.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.16.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ASA_TO_PAN_MAP 10 match address ALLOWED_TRFC_TO_PAN
crypto map ASA_TO_PAN_MAP 10 set peer 172.16.200.2
crypto map ASA_TO_PAN_MAP 10 set transform-set MYSET
crypto map ASA_TO_PAN_MAP 10 set security-association lifetime seconds 86400
crypto map ASA_TO_PAN_MAP 10 set security-association lifetime kilobytes 4608000
crypto map ASA_TO_PAN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.200.2 type ipsec-l2l
tunnel-group 172.16.200.2 ipsec-attributes
pre-shared-key *
 
!
class-map inspection_default
match default-inspection-traffic
!
 
: end
asa-01#
-----
Best, ~sK 
8 REPLIES 8

L6 Presenter

Hi,

 

l am not sure if your Proxy IDs look right (host with /24 subnet mask and the whole subnet from ASA side).

@BPry will be able to help, l am sure 🙂

 

Cyber Elite
Cyber Elite

@Sadik_Khirbash,

Honestly there is a bit here that I wouldn't say is 'right' in the way that I setup site-to-site tunnels, that being said I'm not going to say that the way I configure them is the 'correct' way either. @TranceforLife is correct though your proxy IDs I would say are wrong, I generally would use the actual network ranges, so for example 10.191.0.0/16 or 192.168.100.0/24 and so on. 

Without knowing what your configuration actually states the following bugs me a bit on the IKE Gateway configuration; but that's probably just because I can't see the entire device config and it's likely fine.

Local Id: 172.16.200.2
Peer Id: 172.16.200.1
 

What does your ike logs say on both devices, that should give you a fair insight into what is actually going on? The easiest way to really troubleshoot any of this is the logs on both devices as it will generally get you pointed in the proper direction. 

 

Hi @Sadik_Khirbash

 

A few things I noticed on my end here when looking at your configuration. Although you are not showing the Phase 2 configuration on the PAN side, it is easy to spot how it should look like by looking at your ASA config.

 

As @BPry mentioned,

Unless there is a specific reason you should not have to specify the Local and Peer ID if the VPN is between gateways with static IP addresses. In other words, unless your two firewalls are using dynamic IP address for the public IP, you should not define a Local and Peer IP whatosever, otherwise, it will mess up the phase 1 negotiation. If that's the case for you, and you really need to use this configuration, make sure that it is also properly defined on the remote side of the connection, in this case the ASA.

Local Id: 172.16.200.2
Peer Id: 172.16.200.1
 
Second, confirm your phase 2 ProxyID configuration on the PAN side. It should be mirrored exactly the way your ASA is showing, but in opposite directions.

PAN200 - IPSEC Phase 2:

ProxyID1
Local: 10.48.11.0/24
Remote: 192.168.1.0

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-VPN/ta-p/68931

 

Also, run the following commands to troubleshoot and if you can post the output that would help us to assist you:

Step 1: Open two Putty sessions to your PA-200. On Screen One, run the follwoing command: 

tail follow yes ike tail follow yes mp-log ikemgr.log

Step 2: On Screen two run the following command:

Test Phase 1

test vpn ike-sa

Step 3: Go back to Screen One and read the outputs. if you can copy and post in this thread that would be help us to analyze the messages.

 

Let us know how it goes.

 

 

 

Thanks all for the input. 

 

@acc6d0b3610eec313831f7900fdbd235, I tried to use this command but it was inavliad. 

tail follow yes ike tail follow yes mp-log ikemgr.log

The PAN's side Phase 2 config is as follows: 

 

 

IPsec Crypto: IKEPhase2_To_ASA
DH Group: group 2
Authentication: sha1
Encryption: 3des
Key lifetime: 1 day
Lifesize: 4608MB
======================================================================================
 
I have tried to config the Proxy IDs as listed above and also tried/played with using differnt prefixs but that didn't make any effect.
 
The phase 1 and phase 2 parameters of the ASA and PA are identical as I listed above. 
 
Let me know what other info you'd like me to post that will be helpful. 
 
Best,, ~sK 
 
 

Hi @Sadik_Khirbash

My apologies for my fat finger. The command is:

tail follow yes mp-log ikemgr.log

 The phase 2 ProxyID is a crucial piece of this configuration, and it would be important for us that you ensure it configured properly. The concern is not the Phase 2 paramenters, but the Proxy ID configuration at this point.

That's how your Proxy ID should be configured on the PA-200 side.

ProxyID1.PNG

Run the above command and post the output for us, then maybe we can shine some light on it for you 🙂

 

@acc6d0b3610eec313831f7900fdbd235.. Thanks for the prompt response.  I did change the Proxy IDs to what you specified. Here's the output after executing the command: 

 

rbash@PA-200> tail follow yes mp-log ikemgr.log
2017-07-11 16:13:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:13:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:13:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:14:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).

2017-07-11 16:15:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:15:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).

2017-07-11 16:16:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:16:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:17:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:18:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:04.175 -0700 ikemgr: panike_daemon phase 1 started, config size 17633
2017-07-11 16:19:04.178 -0700 ikemgr: panike_daemon phase 1 step 2 finished
2017-07-11 16:19:04.329 -0700 ikemgr: panike_daemon phase 1 step 4 finished
2017-07-11 16:19:04.329 -0700 pan IKE cfg phase-1 triggered.
2017-07-11 16:19:04 [INFO]: loading new config from /tmp/.rtoFSH
2017-07-11 16:19:05.130 -0700 ikemgr: panike_daemon phase 1 step 5 finished
2017-07-11 16:19:05.130 -0700 ikemgr: panike_daemon phase 1 config change detected
2017-07-11 16:19:05.130 -0700 ikemgr: panike_daemon phase 1 finished with status 1
2017-07-11 16:19:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:25.090 -0700 ikemgr: panike_daemon phase 2 started
2017-07-11 16:19:25.090 -0700 pan IKE cfg phase-2 triggered.
2017-07-11 16:19:25 [INFO]: VPN tunnel IPSec_Tunnel:ASA_LAN_TO_LAN(S2S_VPN_To_ASA) changed, deleting SA
2017-07-11 16:19:25 [INFO]: VPN tunnel IPSec_Tunnel:ASA_LAN_TO_LAN(S2S_VPN_To_ASA) changed, deleting SA
2017-07-11 16:19:25.091 -0700 ikemgr: panike_daemon phase 2 finished
2017-07-11 16:19:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:19:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:20:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:21:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:22:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:23:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).
2017-07-11 16:24:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7d59e57bd6c54727 c40ffc76ee828c4e (size=16).

Hi,

 

Disable DPD for now. Enable debug mode so we can get more info:

 

> debug ike global on debug

xxxxxxxxxx> debug ike global show

sw.ikedaemon.debug.global: debug

 

then 

 

> test vpn ike-sa gateway (your gateway)

 

then 

 

> tail follow yes mp-log ikemgr.log

 

Configure debug back to "normal" mode:

 

> debug ike global on normal

What version is PA-200 running?

  • 7835 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!