This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VPN Tunnel from remote ASA: only one of three proxy-IDs working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN Tunnel from remote ASA: only one of three proxy-IDs working

CHoldredge
L0 Member

‎07-25-2018 06:25 PM

Has anyone had an issue where a tunnel is configured with multiple proxy-id's for a policy-based peer, but a working security association is formed for only one of them?

 

I have a number of ASA 5505s that need to connect to my new Palo Altos from remote locations, where they mostly get dynamic, NATed, non-routable IPs. After more faffing about than expected, I've reached the point where I have two nice, green dots in Network/IPSec Tunnels. Turns out, though, that that's kind of misleading.

 

Each tunnel has three proxy-ids, one for each of the big blocks of non-routable space. They look like this:

image.png

The IKE security association gets set up without any issue.

 

The IPSec SA for selector pair c is also forming just fine, and passing traffic. I think it couldn't be doing that unless most of the configuration was OK?

 

As far as I can see, b never tries to negotiate at all.

 

A is the oddest case. I see a security association on both the ASA and the Palo Alto. The SPIs match. All the parameters match. But traffic doesn't move in either direction. On both devices I can see the count of encap packets increasing (so routing and blocking must be OK, traffic's entering the tunnel), but decap packets never moves from zero on either side.

 

I thought I'd seen most IPSec failure modes, but I've never seen anything like that.

 

I'd thought I might be triggering some weirdness with the overlapping address space for the remote /27 and 172.16/12, even though that's the connection that worked. Wasn't sure it could be the issue since so many folks use 0.0.0.0/0, but I tried removing it anyhow. It didn't make any difference to the behavior of the other SAs.

 

I'm utterly at a loss with this one. Ticket is open with support, but it would sure make my day if someone recognizes these symptoms.

 

Here are the selector configurations from both devices. Maybe (hopefully) I'm just doing something dumb?

 

 

ASA:

object network 10dot
 subnet 10.0.0.0 255.0.0.0
object network 192dot
 subnet 192.168.0.0 255.255.0.0
object network 172dot
 subnet 172.16.0.0 255.240.0.0
...
object-group network InternalNets
 network-object object 10dot
 network-object object 192dot
 network-object object 172dot
...
access-list outside_cryptomap_1 extended permit ip 172.19.29.192 255.255.255.224 object-group InternalNets
...
crypto map outside_map 2 match address outside_cryptomap_1
...


PA:
set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id a protocol any
set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id a local 10.0.0.0/8
set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id a remote 172.19.29.192/27
set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id b protocol any
set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id b local 192.168.0.0/16
set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id b remote 172.19.29.192/27
set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id a protocol any
set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id c local 172.16.0.0/12
set network tunnel ipsec Prop_IPsec_999 auto-key proxy-id c remote 172.19.29.192/27

 

 

 

0 Likes Likes
5 REPLIES 5

Remo
L7 Applicator

‎07-26-2018 12:26 AM

What PAN-OS version is running on your firewall?
0 Likes Likes

CHoldredge
L0 Member
In response to Remo

‎07-26-2018 06:03 AM

It's on 8.1.2

0 Likes Likes

Cris_Collins
L1 Bithead

‎07-23-2021 07:46 AM

I have a couple sites with multiple networks being tunneled via IPSEC. Only the first network that is accessed is working. It will not negotiate the second Proxy ID.  I tried following directions from the link below, but still only the first network that I ping is accessible . It is an IPSEC tunnel between a PA running 9.0 and an ASA running 9.1.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHACA0&lang=en_US

 

Do you know how to resolve this issue?

 

Thank you for any direction you are able to provide

0 Likes Likes

Cris_Collins
L1 Bithead
In response to Cris_Collins

‎07-23-2021 10:25 AM

Enabling PFS and setting the Deffie Hellman and changing from IKEv2 to IKEv1 resolved the issue.

0 Likes Likes

gihernandez
L0 Member

‎10-06-2023 09:47 AM

Check PFS on both sides, I suspect you have PFS enable in one side and disabled in the other side.

0 Likes Likes
  • 7561 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks