Site to Site VPN with error Failed SA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site VPN with error Failed SA

L4 Transporter

Hi,

 

We have configured a site to site vpn between palo alto and cisco ASA. However, both sites are static and PA is the intiator, ACL is configured properly on Cisco side but I got the error:

 

"IKE Phase-2 negotiation is failed as initiator, quick mode, Failed SA: 213.42.x.x [4500] - 185.141.x.x [4500] message id:xxxxx. Due to negotiation timeout".

 

Proxy IDs on PA is:- Local: 10.12.20.11 Remote: 192.168.248.215

ACL on Cisco: access-list TEST extended permit ip object NETWORK_OBJ_192.168.248.215 object TEST_OBJECT

Where TEST_OBJECT is 10.12.20.11

 

I tried a different transform-set on both sides but still the same.

Currently on PA: 3des-SHA1-DH5 life time 1 day

 

Currently on Cisco:

crypto map FEWA_IPSEC_MAP 4 match address TEST

crypto map FEWA_IPSEC_MAP 4 set pfs group5
crypto map FEWA_IPSEC_MAP 4 set peer 213.42.x.x
crypto map FEWA_IPSEC_MAP 4 set ikev1 transform-set ESP-3DES-SHA-TRANS
crypto map FEWA_IPSEC_MAP 4 set security-association lifetime seconds 86400 

 

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

Usually when I troubleshoot cisco side I don't have the transform-set ending with TRANS but as the client said its just a "name" for the transform-set. Can anyone with Cisco experience confirm this?

 

Regards,

Sharief

Regards,
Sharief
1 accepted solution

Accepted Solutions

Hi,

 

Just a quick update. The client sent the "complete" configurations on ASA and we found the following:

 

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

 

PAN doesn't support transport mode and its only works with tunnel mode.

After removing this command the tunnel came up.

 

Thanks for your help.

 

Regards,

Sharief

Regards,
Sharief

View solution in original post

15 REPLIES 15

L4 Transporter

Logs on Cisco (responder):

 

5|Dec 20 2016|15:10:06|713119|||||Group = 213.42.x.x, IP = 213.42.x.x, PHASE 1 COMPLETED

6|Dec 20 2016|15:10:06|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 213.42.x.x

6|Dec 20 2016|15:10:06|713905|||||Group = 213.42.x.x, IP = 213.42.x.x, Floating NAT-T from 213.42.x.x port 500 to 213.42.x.x port 4500

6|Dec 20 2016|15:10:06|713172|||||Group = 213.42.x.x, IP = 213.42.x.x, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT device

5|Dec 20 2016|15:09:47|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping

5|Dec 20 2016|15:09:39|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping

5|Dec 20 2016|15:09:34|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping

5|Dec 20 2016|15:09:31|713904|||||IP = 213.42.x.x, Received encrypted packet with no matching SA, dropping

4|Dec 20 2016|15:09:29|113019|||||Group = 213.42.x.x, Username = 213.42.x.x, IP = 213.42.x.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

5|Dec 20 2016|15:09:29|713259|||||Group = 213.42.x.x, IP = 213.42.x.x, Session is being torn down. Reason: Phase 2 Mismatch

3|Dec 20 2016|15:09:29|713902|||||Group = 213.42.x.x, IP = 213.42.x.x, Removing peer from correlator table failed, no match!

3|Dec 20 2016|15:09:29|713902|||||Group = 213.42.x.x, IP = 213.42.x.x, QM FSM error (P2 struct &0x00007fff985da760, mess id 0xa5f29183)!

5|Dec 20 2016|15:09:29|713904|||||Group = 213.42.x.x, IP = 213.42.x.x, All IPSec SA proposals found unacceptable!

 

 Regards,

Sharief

Regards,
Sharief

Hi TranceForLife,

 

Yes. Local: 10.20.12.11 Remote: 192.168.248.215

Regards,
Sharief

Oh missed that bit. Ok. Can you put PA in passive mode and get ikemgr.log ? So palo will be responder . Also can you post ikemgr.log file output

Hi TranceForLife,

 

Client want PA to be the initiator only. They cannot initiate from Cisco side.

 

ikemgr.log will be posted soon.

Regards,
Sharief

Just as an FYI it's always easier in these types of situations to have the PA be the responder instead of the initiator. The ikemgr.log will help determine where things are actually getting held up. 

Hi BPry,

 

Yes I know that but things doesn't work like that here, if the client (cirtical government entity) said he want us to be the initiator then that's it.

 

Below is the ikemgr.log he sent to me:

admin@DC-FW01(active)> tail follow yes mp-log ikemgr.log
4f9020db 78c9ff8e 464ffb6c 7b9d0d7a c8a994df 45e3c063 6e53b252 250b51a0
38d09ca4 9dc1b5f2 61f58a4e db939b4c 94f8628e d179a88f 79efdd98
2016-12-13 13:35:32 [DEBUG]: isakmp_inf.c:807:isakmp_info_send_common(): sendto Information notify.
2016-12-13 13:35:32 [DEBUG]: oakley.c:3345:oakley_delivm(): IV freed
2016-12-13 13:35:32 [DEBUG]: isakmp_inf.c:1577:isakmp_info_recv_r_u(): received a valid R-U-THERE, ACK sent
2016-12-13 13:35:32 [PROTO_NOTIFY]: isakmp_inf.c:1161:isakmp_info_recv_n(): notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=6bcbcec39d54fe73 f93698142a05fcbe (size=16).
2016-12-13 13:35:35.342 +0400 debug: ifmon_request_put(daemon/panike_sysd_if.c:1391): 16 write to pipe: debug_level
2016-12-13 13:35:35.342 +0400 debug: ifmon_request_get(daemon/panike_sysd_if.c:1407): 16 read from pipe, msg type 1
2016-12-13 13:35:35.342 +0400 debug: pan_msg_process(daemon/panike_sysd_if.c:1529): request from pipe: debug_level
2016-12-13 13:35:35 [INFO]: panike_sysd_impl.c:206:panike_debug_level_cb(): panike_debug_level_cb 5 => 0

Regards,

Sharief

Regards,
Sharief

Check if Cisco is maybe trying to initiate route based or GRE type of tunnel.

Hi,

 

Not sure if you have posted a full pahace 2 config:

 

//IPsec phase 1 configuration (IKEv1)


ciscoasa(config)# crypto ikev1 policy 1
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes-256
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 5
ciscoasa(config-ikev1-policy)# lifetime 3600
ciscoasa(config-ikev1-policy)# exit
ciscoasa(config)# crypto ikev1 enable outside


//Define transform-set using AES-256 and SHA-1


ciscoasa(config)# crypto ipsec ikev1 transform-set aesset esp-aes-256 esp-sha-hmac


//Define access-list for local and remote network


ciscoasa(config)# access-list ipsec_access_list extended permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.0


//IPsec phase 2 configuration

ciscoasa(config)# crypto map ipsecmap 1 match address ipsec_access_list
ciscoasa(config)# crypto map ipsecmap 1 set peer 210.211.10.1
ciscoasa(config)# crypto map ipsecmap 1 set ikev1 transform-set aesset
ciscoasa(config)# crypto map ipsecmap 1 set pfs group5
ciscoasa(config)# crypto map ipsecmap 1 set security-association lifetime seconds 28800
ciscoasa(config)# crypto map ipsecmap interface outside

 

Cannot see ACL (match address) TEST within your configuration. 

We definitely got Phase 2 mismatch so need to look here. And yes TRANS is just a name of the transform-set

 

Hi TranceforLife,

 

Its is there but I forgot to copy it, sorry for that.

 

ciscoasa(config)# crypto map ipsecmap interface outside << this one is missing from the configurations I received from Cisco client.

 

Regards,

Sharief

Regards,
Sharief

If the Cisco side of things doesn't specify which interface the crypto map is assigned to that is likely a very large part of your issue. 

Dont have much experience on s2s vpn from the Cisco side but interesting that P1 is coming up Okay but l am with  you as it is actually  within Phase 2 configuration.  So P1 coming up no probs but P2 ....

Interesting points guys. Let me verify with ASA end.

 

Regards,

Sharief

Regards,
Sharief

Hi,

 

crypto map FEWA_IPSEC_MAP interface outside <<< found this in the configurations so its not the reason.

 

Asked them to clear the SA from cisco side and try initiating traffic again from PA.

 

Regards,

Sharief

Regards,
Sharief
  • 1 accepted solution
  • 16855 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!