12-07-2015 03:01 AM
Hi All,
I can't seem to resolve proxy-id mismatch on a Route-based VPN i have configured between the PAN Firewall and a Cisco 3G router.
On the PAN side, I have configured 10.5.0.0/16 as my local proxy-id and 0.0.0.0 as proxy-id of remote side. I still get a mismatch error as follows:
IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: X.X.X.X/32 type IPv4_address protocol 47 port 0, received remote id: Y.Y.Y.Y/32 type IPv4_address protocol 47 port 0
where X is outside interface address of the Palo and Y is the interface address of the peer.
I have also tried to configure Proxy ID of 0.0.0.0/0 for both local and remote on the Palo. No luck
Please can anyone assist?
12-07-2015 06:34 AM
I had the same problem. After some debugging and magic touch I saw a GRE packet come out of the tunnel 🙂
Or in other words; check if Cisco is trying to establish GRE tunnel instead of IPsec tunnel. If it is, reconfigure Cisco to start IPsec tunnel as GRE is not supported on PA.
12-07-2015 04:30 AM
The proxy ID have to match on both side. It should match means there local become our remote and there remote becomes our local. I think the configured proxy ID on the CISCO is local x.x.x.x/32 remote y.y.y.y/32
So on the PA sside you have to configure local y.y.y.y/32 and remote x.x.x.x/32
Some thing like this will be on the cisco side
access-list extended PA_Proxy permit x.x.x.x 0.0.0.0 y.y.y.y 0.0.0.0
So there local will become our remote and vice versa.
Hope this helps.
12-07-2015 06:34 AM
I had the same problem. After some debugging and magic touch I saw a GRE packet come out of the tunnel 🙂
Or in other words; check if Cisco is trying to establish GRE tunnel instead of IPsec tunnel. If it is, reconfigure Cisco to start IPsec tunnel as GRE is not supported on PA.
12-07-2015 06:38 AM
Ok, I read your post again: Cisco is definitelly configured to start GRE tunnel instead of IPsec (hint: protocol 47)
12-07-2015 07:14 AM
GRE is not supported on PA.
12-07-2015 07:24 AM
hi Pakumar,
I don't have any access-list on the Cisco side because I'm using a tunnel-based VPN on the Cisco side as well. I only have a static route
12-07-2015 07:54 AM
Could you please paste some config of cisco device.
12-07-2015 08:31 AM
That worked....Thanks a whole lot.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
