Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan · ‎12-14-2023

Hi

Platform

My end : Cisco ASR1001

Far end : Palo Alto

I am trying to establish GRE over IPSEC tunnel with a customer using Palo Alto which fails when Palo Alto tries to initiate (role initiator) and Asr1001 is the responder. When the roles are switched (that is every time the tunnel goes down , the tunnel negotiation is initiated by tunnel reset at ASR1001) then tunnel comes up. Appreciate any help, Thank you

Debug logs shows:

Cisco end:

Nov 29 17:44:27.250: IKEv2:(SESSION ID = 64303,SA ID = 2):IPSec policy validate request sent for profile Paradise with psh index 2.

Nov 29 17:44:27.250: IKEv2:(SESSION ID = 64303,SA ID = 2):

Nov 29 17:44:27.254: IKEv2:(SESSION ID = 64303,SA ID = 2):(SA ID = 2):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.

Nov 29 17:44:27.255: IKEv2-ERROR:(SESSION ID = 64303,SA ID = 2):: There was no IPSEC policy found for received TSNov 29 17:44:27.255: IKEv2:(SESSION ID = 64303,SA ID = 2):Sending TS unacceptable notify

Palo Alto end:

023-12-06 15:16:58.127 -0400 [DEBG]: processing isakmp packet
2023-12-06 15:16:58.127 -0400 [DEBG]: ===
2023-12-06 15:16:58.127 -0400 [DEBG]: 137 bytes message received from 216.16X.XXX.5X
2023-12-06 15:16:58.127 -0400 [DEBG]: { 5: }: [IKE Initiator] response message_id 1 expected 1
2023-12-06 15:16:58.128 -0400 [PWRN]: { 5: }: 69.17.1xx.x0[500] - 216.16X.XXX.5X[500]:0x5607e608e760 vendor id payload ignored
2023-12-06 15:16:58.128 -0400 [PWRN]: { 5: }: 69.17.194.x0[500] - 216.16X.XXX.5X[500]:0x5607e608e760 received notify type NO_PROPOSAL_CHOSEN
2023-12-06 15:16:58.128 -0400 [INFO]: { 5: }: 69.1X.XXX.XX[500] - 216.16X.XXX.5X[500]:0x7fcbf4037610 authentication result: success
2023-12-06 15:16:58.128 -0400 [DEBG]: { 5: }: update response message_id 0x1
2023-12-06 15:16:58.128 -0400 [DEBG]: { 5: }: ikev2_process_child_notify(0x7fcbf4025018, 0x7fcc112a18b0), notify type NO_PROPOSAL_CHOSEN
2023-12-06 15:16:58.128 -0400 [PWRN]: { 5: }: 14 is not a child notify type
2023-12-06 15:16:58.128 -0400 [PERR]: { 5: }: 69.1X.XXX.XX[500] - 216.16X.XXX.5X[500]:0x7fcbf4037610 received Notify type NO_PROPOSAL_CHOSEN, failed establishing child_sa
2023-12-06 15:16:58.128 -0400 [PNTF]: { 5: }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway ike-vpn-fw02-ibasis-sig <====
====> Failed SA: 69.1X.XXX.XX[500]-216.16X.XXX.5X[500] message id:0x00000001 parent SN:2494 <==== Error code 19
2023-12-06 15:16:58.128 -0400 [DEBG]: { 5: }: SA established: state INI_IKE_AUTH_RCVD, caller initiator_ike_sa_auth_cont, attach 1
2023-12-06 15:16:58.128 -0400 [PNTF]: { 5: }: ====> IKEv2 IKE SA NEGOTIATION SUCCEEDED AS INITIATOR, non-rekey; gateway ike-vpn-fw02-ibasis-sig <====
====> Established SA: 69.1X.XXX.XX[500]-216.16X.XXX.5X[500] SPI:8dc026cee9b9e51d:5f7739109410fcd4 SN:2494 lifetime 86400 Sec <====

Attached config for Cisco ASR and palto Alto

Rob Ingram · ‎12-15-2023

@mkrishnan PFS is enabled on the ASR (group 19), but is PFS group 19 also enabled on the Palo Alto side?

mkrishnan · ‎12-15-2023

Thanks for the response.

Yes PFS is enabled both ends with same group

MHM Cisco World · ‎12-15-2023

Can I see config of ASR1k?

Also there is mode ipv4 why you need to use gre over ipsec?

MHM

mkrishnan · ‎12-15-2023

Thank you for the response.

Yes sorry I attached VTI setup instead of GREoIPSEC , and forgot to mention, in VTI setup tunnels comes up with out any issues even when peer roles are switched

ASR1K cnfig:

interface Tunnel203
description Parad-Voice
vrf forwarding IBASIS-PUBLIC
ip address xxx.xxx.172.158 255.255.255.254
tunnel source xxx.xxx.184.22
tunnel destination xx.xx.194.66
tunnel protection ipsec profile Parad
end

IPSEC profile Parad
IKEv2 Profile: Parad
Security association lifetime: 4608000 kilobytes/28800 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group19
Mixed-mode : Disabled
Transform sets={
Paradise: { esp-gcm } ,
}
IKEv2 profile: Parad
Ref Count: 5
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address xx.xx.194.66 255.255.255.255
Certificate maps: none
Local identity: address xxx.xxx.184.22
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: Paradise
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: IBASIS-PUBLIC
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
PPK Dynamic: 0 PPK Required : 0 PPK Instance ID:

Marius Gunnerud · ‎12-15-2023

It is difficult to determine what the issue is with the limited information here. But from the error message it looks like the ASR is complaining about the encryption domain / traffic selector (TS) when the Palo Alto initiates the connection. Did you previously have this set up as a crypto map policy?

--
Please remember to select a correct answer and rate helpful posts

mkrishnan · ‎12-15-2023

Thanks for the response.

From the original setup , its always GREoIPSEC until I decided to test with VTI, there was no encryption domains involved as we run BGP over this tunnel for exchanging prefixes

Thats where I am not sure, when ASR1K initiate the tunnel negotiations, the tunnel comes up but when Palo Alto initiates in the messages its sending TS for validation which is non-existent in the ipsec policy ASR1K end , hence it fails with TS unacceptable

MHM Cisco World · ‎12-15-2023

Hello friend

I was want to see config policy key profile of ikev2

Until that time

Remote identity: none

Are you dont use any remote identity for ikev2 profile?

That explain why when palo initiate the traffic there is no response from ASR

MHM

mkrishnan · ‎12-15-2023

Hi

In IKEV2 profile, ASR1K doesn't give the option to add remote identity only local identity while allows matching identity for remote as below:

M077-C1001-1(config-ikev2-profile)#identity ?
local Specify the local IKE identity to use for the negotiation

M077-C1001-1(config-ikev2-profile)#match identity ?
remote Remote identity

IKEv2 profile commands:
aaa Specify AAA related configs
anyconnect Enable profile for anyconnect profile download
authentication Set authentication method
config-exchange config-exchange options
description Specify a description of this profile
dpd Enable IKE liveness check for peers
dynamic Indicates the IKEv2 profile settings are dynamic
exit Exit from crypto ikev2 profile sub mode
identity Specify IKE identity to use ---> local
initial-contact initial-contact processing options
ivrf I-VRF of the profile
keyring Specify keyring to use
lifetime Set lifetime for ISAKMP security association
match Match values of peer -- -> remote
nat NAT-transparency
no Negate a command or set its defaults
pki Specify certificate authorities to trust
ppk Post Quantum Key server instance ID
reconnect Enable profile for auto re-connect
redirect IKEv2 Redirect Mechanism for load-balancing
shutdown shutdown the IKEv2 profile
virtual-template Specify the virtual-template for dynamic interface creation.

Thanks

MHM Cisco World · ‎12-15-2023

M077-C1001-1(config-ikev2-profile)#match identity ?
remote Remote identity

Yes set remote identity using public IP of tunnel destiantion.

MHM

mkrishnan · ‎12-15-2023

yes its already there in the config

identities:
address xx.xx.194.66 255.255.255.255 -- this is the remote identity

in the profile that that you are seeing just remote identity in the available commands

Local identity: address xxx.xxx.184.22
Remote identity: none --- this is not available under

M077-C1001-1(config-ikev2-profile)#identity ?
local Specify the local IKE identity to use for the negotiation (no option to choose remote here only local)

While match identity allows remote identity to be configured

M077-C1001-1(config-ikev2-profile)#match identity ?
remote Remote identity

MHM Cisco World · ‎12-15-2023

Identity for yout ASR

Match identity remote for Palo

Use match identity under profile

MHM

mkrishnan · ‎12-15-2023

Not sure I understand you correctly, I already did that Profile has the remote identity under identities

identities:
address xx.xx.194.66 255.255.255.255 -- this is the remote identity (this is Palo Alto)

MHM Cisco World · ‎12-15-2023

friend the identity is used for your LOACL
match identity is used for Peer
NOTE:- if you config misconfig Palo IP with identity command remove it

mkrishnan · ‎12-15-2023

Thanks for the explanation but it seems I configured local and remote identities correctly

M077-C1001-1(config-ikev2-profile)#identity local add
M077-C1001-1(config-ikev2-profile)#identity local address xxx.xxx.187.52 -- ASR1K end

M077-C1001-1(config-ikev2-profile)#match identity remote address xx.xx.194.70 255.255.255.255 -- palo alto
% Already found same 'match identity' statement in this profile

GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo Alto