VPN Proxy ID nightmare

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN Proxy ID nightmare

L3 Networker

Hi All,

I can't seem to resolve proxy-id mismatch on a Route-based VPN i have configured between the PAN Firewall and a Cisco 3G router.

On the PAN side, I have configured 10.5.0.0/16 as my local proxy-id and 0.0.0.0 as proxy-id of remote side. I still get a mismatch error as follows:

 

IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: X.X.X.X/32 type IPv4_address protocol 47 port 0, received remote id: Y.Y.Y.Y/32 type IPv4_address protocol 47 port 0

 

where X is outside interface address of the Palo and Y is the interface address of the peer.

 

I have also tried to configure Proxy ID of 0.0.0.0/0 for both local and remote on the Palo. No luck

 

Please can anyone assist?

1 accepted solution

Accepted Solutions

L6 Presenter

I had the same problem. After some debugging and magic touch I saw a GRE packet come out of the tunnel 🙂

 

Or in other words; check if Cisco is trying to establish GRE tunnel instead of IPsec tunnel. If it is, reconfigure Cisco to start IPsec tunnel as GRE is not supported on PA.

 

 

View solution in original post

7 REPLIES 7

L5 Sessionator

The proxy ID have to match on both side. It should match means there local become our remote and there remote becomes our local. I think the configured proxy ID on the CISCO is local x.x.x.x/32 remote y.y.y.y/32

So on the PA sside you have to configure local y.y.y.y/32 and remote x.x.x.x/32

 

Some thing like this will be on the cisco side

access-list extended PA_Proxy permit x.x.x.x 0.0.0.0 y.y.y.y 0.0.0.0

 

So there local will become our remote and vice versa.

 

Hope this helps.

L6 Presenter

I had the same problem. After some debugging and magic touch I saw a GRE packet come out of the tunnel 🙂

 

Or in other words; check if Cisco is trying to establish GRE tunnel instead of IPsec tunnel. If it is, reconfigure Cisco to start IPsec tunnel as GRE is not supported on PA.

 

 

Ok, I read your post again: Cisco is definitelly configured to start GRE tunnel instead of IPsec (hint: protocol 47)

GRE is not supported on PA.

hi Pakumar,

I don't have any access-list on the Cisco side because I'm using a tunnel-based VPN on the Cisco side as well. I only have a static route

Could you please paste some config of cisco device.

That worked....Thanks a whole lot.

  • 1 accepted solution
  • 4988 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!