topic Re: VPN Tunnel ASA>Palo Alto in Network Security

VPN Tunnel ASA>Palo Alto

zietgiestt — Tue, 12 Mar 2024 17:31:13 GMT

Hello,

I'm having trouble setting up a vpn tunnel between a Cisco asa5516x running 9.16 (4)(me) and a Palo Alto PA-3430 running 10.2.6 (vendor).

First time crossing vendors for both of us.

Using Ikev2, both sides have the same phase 1 encryption:

encryption aes-192

integrity sha

group 21

prf sha

lifetime seconds 28800

both sides have the same phase 2 ipsec:

protocol esp encryption aes-256

protocol esp integrity sha-256

PA says he can see traffic passing, but I don't even see an attempt at phase1 negotiation.

ACL is made on my end.

crypto map is made on my end.

group policy is made on my end.

tunnel-group is made on my end.

ran the debug cry ikev2 pro and don't see an attempt at a handshake.

Not sure what is out of place.

any insight please???

what other info can I provide for any help?

Re: VPN Tunnel ASA>Palo Alto

Rob Ingram — Tue, 12 Mar 2024 17:38:56 GMT

@zietgiestt if the peer says the VPN is up, run show crypto ikev2 sa and show crypto ipsec sa from the CLI of the ASA and provide the output for review.

If there is no output then the tunnel is not up.

ASA IKEv2 troubleshooting guide - https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html

enable these debugs, generate some interesting traffic and provide the output for review.

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

Do you have a NAT exemption rule to ensure traffic is not unintentially translated?

Please provide your crypto and VPN ACL for review.

You could also run packet-tracer twice to simulate the traffic flow, provide the output from the second output.

Re: VPN Tunnel ASA>Palo Alto

james.king14 — Tue, 12 Mar 2024 19:43:36 GMT

Hi Zietgiestt,

Did you ensure to put in the NAT 0 statement for the ASA

Re: VPN Tunnel ASA>Palo Alto

zietgiestt — Tue, 12 Mar 2024 20:42:31 GMT

Rob,

I've attached your requested info. As you can see a sh cry is sa shows nothing regarding the remote IP (170.103.X.X).

Shouldn't there be at least some attempts to negotiate the tunnel with some fails?

I may have let the debug run a little long.

What my peer is saying is not that the tunnel is up, but he can see packets passing back/forth over udp500.

Hope this helps you help me...appreciate it

Re: VPN Tunnel ASA>Palo Alto

Rob Ingram — Tue, 12 Mar 2024 21:00:44 GMT

@zietgiestt the debug output does not appear to be related to the PA VPN 170.103.X.X in question.

If the peer was sending traffic to you and assuming they have configured the correct IP address for your ASA, I'd expect to see something in the debug output (regardless of whether the configuration works or not).

Take a packet capture, filter on PA IP address and confirm from your end that there is communication between the PA IP address and your ASA. If not could there be something blocking communication in the path or the IP address is configured incorrectly.

Re: VPN Tunnel ASA>Palo Alto

zietgiestt — Tue, 12 Mar 2024 21:11:08 GMT

James,

Not truly familiar with the nat 0 statement. I do have a nat statement in place:

nat (inside,outside) source static WS_Tunnel_Tempel_Internal WS_Tunnel_Tempel_Internal destination static WS_Tunnel_WS_Internal WS_Tunnel_WS_Internal no-proxy-arp route-lookup

If I run a packet tracer sourced form an IP in the ACL to a remote IP, I see the untranslated hits climb 1 at a time.

23 (inside) to (outside) source static WS_Tunnel_Tempel_Internal WS_Tunnel_Tempel_Internal destination static WS_Tunnel_WS_Internal WS_Tunnel_WS_Internal no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 3

Re: VPN Tunnel ASA>Palo Alto

zietgiestt — Tue, 12 Mar 2024 21:21:29 GMT

Yes. That is what is frustrating me. I can see the log monitor that my peer can ping me so I know he has the correct IP, as do I.I will run a packet capture as you suggest.

I will post after. thanks @Rob Ingram

Re: VPN Tunnel ASA>Palo Alto

Sheraz.Salim — Wed, 13 Mar 2024 02:38:37 GMT

Interesting remote side see the traffic and you cant see even the phase 1.

try to capture the packet on the ASA.

capture VPN type isakmp ikev2 interface outside match ip host x.x.x.x host z.z.z.z

once the capture are filling up you can see them by using command show capture VPN.

as it will give you a good start to troubleshoot this.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

Re: VPN Tunnel ASA>Palo Alto

MHM Cisco World — Wed, 13 Mar 2024 09:23:16 GMT

Do the following

debug crypto condition peer x.x.x.x
then

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

MHM

Re: VPN Tunnel ASA>Palo Alto

zietgiestt — Thu, 02 May 2024 19:13:30 GMT

Seems it was an issue with the PA and their ACL.

Was able to get the tunnel to come up.

Tanks for everyone's input...