Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Problems creating IPSec VPN to Cisco ASA

L1 Bithead


I have been having difficulties trying to configure an IPSec tunnel between a PA500 and Cisco ASA.  I can get the tunnel up as it show's as green under the IPSec section however no traffic seems to flow through the tunnel and there is no connectivity.  I am essentially using the IPSec VPN to allow a GRE tunnel from a partner companies router on the remote site to a router on the internal network side of the PA500.  The basic network setup is as follows;


3x physical interfaces, one in outside zone, one in DMZ zone and one internal

1x loopback interface which I have assigned a public IP address and is used as the VPN endpoint.  This was placed in the outside zone

I have created an IKE and IPSec crypto policy which matches the requirements of the peer ASA and I have also created a IKE Gateway which uses the loopback interface, this uses PSK for authentication.  There is also the IPSec tunnel configuration which uses the local IP address of the GRE router as te local proxy address and the public IP address of the partner ASA as the remote proxy address.  The protocol uses "any"  (on the actual router itself the GRE tunnel interface has a source of which matches this local proxy address and a destination that matches the public IP address of the ASA).  I also created a static route for the public IP address of the remote ASA.  A security policy was then created to allow ike and ipsec-esp from the loopback VPN interface to the public IP of the ASA, I also created a reverse rule; these were called Outbound VPN and Inbound VPN.

The tunnel does not come up straight away however if I run the following commands it does establish.

test vpn ipsec-sa tunnel VPN_TUNNELx

Then when I go back into the IPSec tunnel under Network it show's green, so I am assuming that the IKE and IPsec polcies match and also the routing and proxy IDs...

However when I try the following command;

show vpn flow name VPN_TUNNELx

It doesnt show any packets being sent or received. 

I ran a continous ping from the internal router to the other GRE tunnel endpoint on the other side of the ASA to generate some traffic, then looked at the Traffic under the Monitor tab to see if anything was being detected and could not see anything other than the IKE traffic for the VPN tunnel...

Im at a bit of a loss as to what to look at next, I'm guessing I also need to create a rule to allow the GRE traffic from the internal zone to the outside zone and also reverse perhaps?  I was hoping to get some guidance on what area's to focus troubleshooting on as I'm very new to Palo Alto! 

Many thanks in advance!


Who Me Too'd this topic