03-21-2023 10:33 PM
I have IPSec tunnel between Palo alto 820 and Cyberoam firewall. But It's not getting up. Neither Phase 1 nor Phase 2. Even I am not reachable to other end public ip. Suggest me.
03-21-2023 10:41 PM
Initiate vpn from Cyberoam side towards Palo.
Do you see any sessions from Cyberoam public IP in "Monitor > Traffic" or "Monitor > Session Browser" on Palo side?
If yes check "Monitor > System" and use filter below. Do you see any errors that might reveal why tunnel don't come up?
( subtype eq vpn )
03-21-2023 11:33 PM
Found this error in System log - IKE phase-1 negotiation is failed as initiator, main mode.
03-21-2023 11:36 PM
This error is not helpful as if Palo is "initiator" then you need to check logs at Cyberoam side.
Only recipient side will know why connection failed. Recipient will not share failure reason with initiator.
If you want to analyze logs from Palo side you need to initiate connection from Cyberoam towards Palo..
03-22-2023 01:28 AM
Error from Cyberoam firewall
03-22-2023 05:00 AM
I think @Raido_Rattameister suggested to you to switch the responder to be Palo Alto.
You will have to do some investigations or debugs like after making Palo Alto responder if the error is not clear to enable IKE debug or check for global counter drops or packet captures if the traffic is even reaching the Palo Alto firewall at all or if a security policy on Palo Alto is dropping it:
03-22-2023 05:25 AM - edited 03-22-2023 05:26 AM
Does Cyberoam have 1 or more WAN IPs?
According to https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Log... error message 17842 shows success (<connectionname>, EST-P1-MM: Response to establishment request from <peeris> peer <peerrequesterip> successful) and error 17856 seems to mean that Cyberoam replied but did not get any answer after that (<connectionname>, EST-P1: max number of retransmissions <count> reached STATE_MAIN_I1. No response (or no acceptable response) to first IKE message.).
So first suspicion is that Palo sends IKE packet to Cyberoam WAN IP1 and Cyberoam replies to Palo from WAN IP2.
If this is the case then you need static route in Cyberoam to send return packets from WAN IP1 to Palo.
If Cyberoam don't have 2 IPs then check that Palo firewall policy permits incoming IPSec traffic from Cyberoam IP and would not drop those packets.
03-23-2023 01:51 AM
On Monitor > Traffic, check if you have any deny traffic from/to public IP address of the remote site.
When it's about phase 1 of IPsec, most of the time is about IKE parameters or the traffic is may be denied somewhere
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!