05-29-2017 03:16 AM
Hi folks,
Are there any Cisco ASA specialists out there?
We have a problem with a site to site vpn connection between paloalto and an ASA 5540. Actually the problem seems to be on the ASA side.
The proxy id's on the PA are configured like this:
Remote (ASA): 0.0.0.0/0
Local: 1 private /24 subnet
As described in the title, we use IKEv2. Now everything works as expected when the tunnel is initiated from our paloalto. Phase1 & 2 will be brought up with the configured settings and subnets.
But, when Cisco ASA is the initiator it simply ignores the configured phase 2 subnets and uses a /32 hostaddress as their local proxy id and our correct /24 subnet as remote id. Because of the fact, that palo accepts this phase 2 request with IKEv2 the vpn is connected successfully. The problem then starts when a second host behind the ASA tries to communicate over the VPN tunnel. Then the ASA tries to initiate another phase 2 with the new source host ip as phase 2 network. This is also working but then the alredy established phase 2 will be kicked away by PaloAlto and from then on the first host is no longer able to communicate over the tunnel.
Is anyone familiar with this problem or even better, knows how to fix this?
Regards,
Remo
PS: I already had exactly this issue 2 months ago with another Cisco ASA. There we went back to IKEv1 which solved the problem and the ASA was using the staticly configured subnets instead of hostaddresses ... but onfortunately this is no option for this customer ...
