This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Site to Site VPN with error Failed SA

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site VPN with error Failed SA

Go to solution
MohamedSharief
L4 Transporter

‎12-21-2016 04:00 AM - edited ‎12-22-2016 04:55 AM

Hi,

 

We have configured a site to site vpn between palo alto and cisco ASA. However, both sites are static and PA is the intiator, ACL is configured properly on Cisco side but I got the error:

 

"IKE Phase-2 negotiation is failed as initiator, quick mode, Failed SA: 213.42.x.x [4500] - 185.141.x.x [4500] message id:xxxxx. Due to negotiation timeout".

 

Proxy IDs on PA is:- Local: 10.12.20.11 Remote: 192.168.248.215

ACL on Cisco: access-list TEST extended permit ip object NETWORK_OBJ_192.168.248.215 object TEST_OBJECT

Where TEST_OBJECT is 10.12.20.11

 

I tried a different transform-set on both sides but still the same.

Currently on PA: 3des-SHA1-DH5 life time 1 day

 

Currently on Cisco:

crypto map FEWA_IPSEC_MAP 4 match address TEST

crypto map FEWA_IPSEC_MAP 4 set pfs group5
crypto map FEWA_IPSEC_MAP 4 set peer 213.42.x.x
crypto map FEWA_IPSEC_MAP 4 set ikev1 transform-set ESP-3DES-SHA-TRANS
crypto map FEWA_IPSEC_MAP 4 set security-association lifetime seconds 86400 

 

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

Usually when I troubleshoot cisco side I don't have the transform-set ending with TRANS but as the client said its just a "name" for the transform-set. Can anyone with Cisco experience confirm this?

 

Regards,

Sharief

Regards,
Sharief
0 Likes Likes
15 REPLIES 15

Go to solution
MohamedSharief
L4 Transporter
In response to MohamedSharief

‎12-26-2016 03:11 AM

Hi,

 

Just a quick update. The client sent the "complete" configurations on ASA and we found the following:

 

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

 

PAN doesn't support transport mode and its only works with tunnel mode.

After removing this command the tunnel came up.

 

Thanks for your help.

 

Regards,

Sharief

Regards,
Sharief
  • 16848 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks