IPSec tunnel not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPSec tunnel not working

L1 Bithead

Hi..

I have IPSec tunnel between Palo alto 820 and Cyberoam firewall. But It's not getting up. Neither Phase 1 nor Phase 2. Even I am not reachable to other end public ip. Suggest me. 

7 REPLIES 7

Cyber Elite
Cyber Elite

Initiate vpn from Cyberoam side towards Palo.

Do you see any sessions from Cyberoam public IP in "Monitor > Traffic" or "Monitor > Session Browser" on Palo side?

If yes check "Monitor > System" and use filter below. Do you see any errors that might reveal why tunnel don't come up?

( subtype eq vpn )

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Found this error in System log -   IKE phase-1 negotiation is failed as initiator, main mode.

Cyber Elite
Cyber Elite

This error is not helpful as if Palo is "initiator" then you need to check logs at Cyberoam side.

Only recipient side will know why connection failed. Recipient will not share failure reason with initiator.

If you want to analyze logs from Palo side you need to initiate connection from Cyberoam towards Palo..

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

HitendraP_0-1679473675146.png

Error from Cyberoam firewall

I think @Raido_Rattameister suggested to you to switch the responder to be Palo Alto.

 

How to make Palo Alto Networks firewalls Responder-only in an IPSec tunnel

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0

 

 

You will have to do some investigations or debugs like after making Palo Alto responder if the error is not clear to enable IKE debug or check for global counter drops or packet captures if the traffic is even reaching the Palo Alto firewall at all or if a security policy on Palo Alto is dropping it:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO

 

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-r...

 

Cyber Elite
Cyber Elite

Does Cyberoam have 1 or more WAN IPs?

 

According to https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Log... error message 17842 shows success (<connectionname>, EST-P1-MM: Response to establishment request from <peeris> peer <peerrequesterip> successful) and error 17856 seems to mean that Cyberoam replied but did not get any answer after that (<connectionname>, EST-P1: max number of retransmissions <count> reached STATE_MAIN_I1. No response (or no acceptable response) to first IKE message.).

 

So first suspicion is that Palo sends IKE packet to Cyberoam WAN IP1 and Cyberoam replies to Palo from WAN IP2.

If this is the case then you need static route in Cyberoam to send return packets from WAN IP1 to Palo.

 

If Cyberoam  don't have 2 IPs then check that Palo firewall policy permits incoming IPSec traffic from Cyberoam IP and would not drop those packets.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Hi;
On Monitor > Traffic, check if you have any deny traffic from/to public IP address of the remote site.
When it's about phase 1 of IPsec, most of the time is about IKE parameters or the traffic is may be denied somewhere

  • 1418 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!