12-21-2016 04:00 AM - edited 12-22-2016 04:55 AM
Hi,
We have configured a site to site vpn between palo alto and cisco ASA. However, both sites are static and PA is the intiator, ACL is configured properly on Cisco side but I got the error:
"IKE Phase-2 negotiation is failed as initiator, quick mode, Failed SA: 213.42.x.x [4500] - 185.141.x.x [4500] message id:xxxxx. Due to negotiation timeout".
Proxy IDs on PA is:- Local: 10.12.20.11 Remote: 192.168.248.215
ACL on Cisco: access-list TEST extended permit ip object NETWORK_OBJ_192.168.248.215 object TEST_OBJECT
Where TEST_OBJECT is 10.12.20.11
I tried a different transform-set on both sides but still the same.
Currently on PA: 3des-SHA1-DH5 life time 1 day
Currently on Cisco:
crypto map FEWA_IPSEC_MAP 4 match address TEST
crypto map FEWA_IPSEC_MAP 4 set pfs group5
crypto map FEWA_IPSEC_MAP 4 set peer 213.42.x.x
crypto map FEWA_IPSEC_MAP 4 set ikev1 transform-set ESP-3DES-SHA-TRANS
crypto map FEWA_IPSEC_MAP 4 set security-association lifetime seconds 86400
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Usually when I troubleshoot cisco side I don't have the transform-set ending with TRANS but as the client said its just a "name" for the transform-set. Can anyone with Cisco experience confirm this?
Regards,
Sharief
12-26-2016 03:11 AM
Hi,
Just a quick update. The client sent the "complete" configurations on ASA and we found the following:
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
PAN doesn't support transport mode and its only works with tunnel mode.
After removing this command the tunnel came up.
Thanks for your help.
Regards,
Sharief
12-21-2016 04:07 AM
Logs on Cisco (responder):
5|Dec 20 2016|15:10:06|713119|||||Group = 213.42.x.x, IP = 213.42.x.x, PHASE 1 COMPLETED
6|Dec 20 2016|15:10:06|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 213.42.x.x
6|Dec 20 2016|15:10:06|713905|||||Group = 213.42.x.x, IP = 213.42.x.x, Floating NAT-T from 213.42.x.x port 500 to 213.42.x.x port 4500
6|Dec 20 2016|15:10:06|713172|||||Group = 213.42.x.x, IP = 213.42.x.x, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
5|Dec 20 2016|15:09:47|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping
5|Dec 20 2016|15:09:39|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping
5|Dec 20 2016|15:09:34|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping
5|Dec 20 2016|15:09:31|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping
4|Dec 20 2016|15:09:29|113019|||||Group = 213.42.x.x, Username = 213.42.x.x, IP = 213.42.x.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Dec 20 2016|15:09:29|713259|||||Group = 213.42.x.x, IP = 213.42.x.x, Session is being torn down. Reason: Phase 2 Mismatch
3|Dec 20 2016|15:09:29|713902|||||Group = 213.42.x.x, IP = 213.42.x.x, Removing peer from correlator table failed, no match!
3|Dec 20 2016|15:09:29|713902|||||Group = 213.42.x.x, IP = 213.42.x.x, QM FSM error (P2 struct &0x00007fff985da760, mess id 0xa5f29183)!
5|Dec 20 2016|15:09:29|713904|||||Group = 213.42.x.x, IP = 213.42.x.x, All IPSec SA proposals found unacceptable!
Regards,
Sharief
12-21-2016 04:14 AM - edited 12-21-2016 04:16 AM
H,
https://blog.webernetz.net/2014/01/27/ipsec-site-to-site-vpn-palo-alto-cisco-asa/
Do you have your Proxy ID configured on PA?
Due to negotiation timeout > indicated Proxy ID issue
Thx,
Myky
12-21-2016 04:17 AM
Hi TranceForLife,
Yes. Local: 10.20.12.11 Remote: 192.168.248.215
12-21-2016 04:20 AM - edited 12-21-2016 04:21 AM
Oh missed that bit. Ok. Can you put PA in passive mode and get ikemgr.log ? So palo will be responder . Also can you post ikemgr.log file output
12-21-2016 04:29 AM - edited 12-21-2016 04:32 AM
Hi TranceForLife,
Client want PA to be the initiator only. They cannot initiate from Cisco side.
ikemgr.log will be posted soon.
12-21-2016 06:44 AM
Just as an FYI it's always easier in these types of situations to have the PA be the responder instead of the initiator. The ikemgr.log will help determine where things are actually getting held up.
12-21-2016 11:27 PM
Hi BPry,
Yes I know that but things doesn't work like that here, if the client (cirtical government entity) said he want us to be the initiator then that's it.
Below is the ikemgr.log he sent to me:
admin@DC-FW01(active)> tail follow yes mp-log ikemgr.log
4f9020db 78c9ff8e 464ffb6c 7b9d0d7a c8a994df 45e3c063 6e53b252 250b51a0
38d09ca4 9dc1b5f2 61f58a4e db939b4c 94f8628e d179a88f 79efdd98
2016-12-13 13:35:32 [DEBUG]: isakmp_inf.c:807:isakmp_info_send_common(): sendto Information notify.
2016-12-13 13:35:32 [DEBUG]: oakley.c:3345:oakley_delivm(): IV freed
2016-12-13 13:35:32 [DEBUG]: isakmp_inf.c:1577:isakmp_info_recv_r_u(): received a valid R-U-THERE, ACK sent
2016-12-13 13:35:32 [PROTO_NOTIFY]: isakmp_inf.c:1161:isakmp_info_recv_n(): notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=6bcbcec39d54fe73 f93698142a05fcbe (size=16).
2016-12-13 13:35:35.342 +0400 debug: ifmon_request_put(daemon/panike_sysd_if.c:1391): 16 write to pipe: debug_level
2016-12-13 13:35:35.342 +0400 debug: ifmon_request_get(daemon/panike_sysd_if.c:1407): 16 read from pipe, msg type 1
2016-12-13 13:35:35.342 +0400 debug: pan_msg_process(daemon/panike_sysd_if.c:1529): request from pipe: debug_level
2016-12-13 13:35:35 [INFO]: panike_sysd_impl.c:206:panike_debug_level_cb(): panike_debug_level_cb 5 => 0
Regards,
Sharief
12-21-2016 11:36 PM
Check if Cisco is maybe trying to initiate route based or GRE type of tunnel.
12-22-2016 01:47 AM - edited 12-22-2016 04:19 AM
Hi,
Not sure if you have posted a full pahace 2 config:
//IPsec phase 1 configuration (IKEv1)
ciscoasa(config)# crypto ikev1 policy 1
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes-256
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 5
ciscoasa(config-ikev1-policy)# lifetime 3600
ciscoasa(config-ikev1-policy)# exit
ciscoasa(config)# crypto ikev1 enable outside
//Define transform-set using AES-256 and SHA-1
ciscoasa(config)# crypto ipsec ikev1 transform-set aesset esp-aes-256 esp-sha-hmac
//Define access-list for local and remote network
ciscoasa(config)# access-list ipsec_access_list extended permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.0
//IPsec phase 2 configuration
ciscoasa(config)# crypto map ipsecmap 1 match address ipsec_access_list
ciscoasa(config)# crypto map ipsecmap 1 set peer 210.211.10.1
ciscoasa(config)# crypto map ipsecmap 1 set ikev1 transform-set aesset
ciscoasa(config)# crypto map ipsecmap 1 set pfs group5
ciscoasa(config)# crypto map ipsecmap 1 set security-association lifetime seconds 28800
ciscoasa(config)# crypto map ipsecmap interface outside
Cannot see ACL (match address) TEST within your configuration.
We definitely got Phase 2 mismatch so need to look here. And yes TRANS is just a name of the transform-set
12-22-2016 04:54 AM
Hi TranceforLife,
Its is there but I forgot to copy it, sorry for that.
ciscoasa(config)# crypto map ipsecmap interface outside << this one is missing from the configurations I received from Cisco client.
Regards,
Sharief
12-22-2016 05:47 AM
If the Cisco side of things doesn't specify which interface the crypto map is assigned to that is likely a very large part of your issue.
12-22-2016 05:52 AM - edited 12-22-2016 06:42 AM
Dont have much experience on s2s vpn from the Cisco side but interesting that P1 is coming up Okay but l am with you as it is actually within Phase 2 configuration. So P1 coming up no probs but P2 ....
12-22-2016 06:28 AM
Interesting points guys. Let me verify with ASA end.
Regards,
Sharief
12-25-2016 10:40 PM
Hi,
crypto map FEWA_IPSEC_MAP interface outside <<< found this in the configurations so its not the reason.
Asked them to clear the SA from cisco side and try initiating traffic again from PA.
Regards,
Sharief
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
