Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
9
Replies

VPN Tunnel ASA>Palo Alto

zietgiestt
Level 1
Level 1

‎03-12-2024 10:31 AM

Hello,

I'm having trouble setting up a vpn tunnel between a Cisco asa5516x running 9.16 (4)(me) and a Palo Alto PA-3430 running 10.2.6 (vendor).

First time crossing vendors for both of us.

Using Ikev2, both sides have the same phase 1 encryption:

encryption aes-192

 integrity sha

 group 21

 prf sha

 lifetime seconds 28800 

both sides have the same phase 2 ipsec:

 protocol esp encryption aes-256

 protocol esp integrity sha-256

PA says he can see traffic passing, but I don't even see an attempt at phase1 negotiation.

ACL is made on my end.

crypto map is made on my end.

group policy is made on my end.

 tunnel-group is made on my end.

ran the debug cry ikev2 pro and don't see an attempt at a handshake.

Not sure what is out of place.

any insight please???

what other info can I provide for any help?

 

0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎03-12-2024 10:38 AM

@zietgiestt if the peer says the VPN is up, run show crypto ikev2 sa and show crypto ipsec sa from the CLI of the ASA and provide the output for review.

If there is no output then the tunnel is not up.

ASA IKEv2 troubleshooting guide - https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html

enable these debugs, generate some interesting traffic and provide the output for review.

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

Do you have a NAT exemption rule to ensure traffic is not unintentially translated?

Please provide your crypto and VPN ACL for review.

 You could also run packet-tracer twice to simulate the traffic flow, provide the output from the second output.

0 Helpful

zietgiestt
Level 1
Level 1
In response to Rob Ingram

‎03-12-2024 01:42 PM

Rob, 

I've attached your requested info. As you can see a sh cry is sa shows nothing regarding the remote IP (170.103.X.X).

Shouldn't there be at least some attempts to negotiate the tunnel with some fails?

I may have let the debug run a little long.

What my peer is saying is not that the tunnel is up, but he can see packets passing back/forth over udp500.

Hope this helps you help me...appreciate it

 

 

PA_Tunnel_Output.zip
0 Helpful

Rob Ingram
VIP
VIP
In response to zietgiestt

‎03-12-2024 02:00 PM

@zietgiestt the debug output does not appear to be related to the PA VPN 170.103.X.X in question.

If the peer was sending traffic to you and assuming they have configured the correct IP address for your ASA, I'd expect to see something in the debug output (regardless of whether the configuration works or not).

Take a packet capture, filter on PA IP address and confirm from your end that there is communication between the PA IP address and your ASA. If not could there be something blocking communication in the path or the IP address is configured incorrectly.

0 Helpful

zietgiestt
Level 1
Level 1
In response to Rob Ingram

‎03-12-2024 02:21 PM

Yes. That is what is frustrating me. I can see the log monitor that my peer can ping me so I know he has the correct IP, as do I.I will run a packet capture as you suggest. 

I will post after. thanks @Rob Ingram 

0 Helpful

james.king14
Level 1
Level 1

‎03-12-2024 12:43 PM

Hi Zietgiestt,



Did you ensure to put in the NAT 0 statement for the ASA


0 Helpful

zietgiestt
Level 1
Level 1
In response to james.king14

‎03-12-2024 02:11 PM

James,

Not truly familiar with the nat 0 statement. I do have a nat statement in place:

nat (inside,outside) source static WS_Tunnel_Tempel_Internal WS_Tunnel_Tempel_Internal destination static WS_Tunnel_WS_Internal WS_Tunnel_WS_Internal no-proxy-arp route-lookup

If I run a packet tracer sourced form an IP in the ACL to a remote IP, I see the untranslated hits climb 1 at a time.

23 (inside) to (outside) source static WS_Tunnel_Tempel_Internal WS_Tunnel_Tempel_Internal destination static WS_Tunnel_WS_Internal WS_Tunnel_WS_Internal no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 3

0 Helpful

Sheraz.Salim
VIP
VIP
In response to zietgiestt

‎03-12-2024 07:38 PM

Interesting remote side see the traffic and you cant see even the phase 1.

try to capture the packet on the ASA.

 capture VPN type isakmp ikev2 interface outside match ip host x.x.x.x host z.z.z.z

once the capture are filling up you can see them by using command show capture VPN.

as it will give you a good start to troubleshoot this.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

please do not forget to rate.
0 Helpful

MHM Cisco World
VIP
VIP

‎03-13-2024 02:23 AM

Do the following 

debug crypto condition peer x.x.x.x
then

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

MHM

0 Helpful

zietgiestt
Level 1
Level 1

‎05-02-2024 12:13 PM

Seems it was an issue with the PA and their ACL. 

Was able to get the tunnel to come up.

Tanks for everyone's input...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card