03-12-2024 10:31 AM
Hello,
I'm having trouble setting up a vpn tunnel between a Cisco asa5516x running 9.16 (4)(me) and a Palo Alto PA-3430 running 10.2.6 (vendor).
First time crossing vendors for both of us.
Using Ikev2, both sides have the same phase 1 encryption:
encryption aes-192
integrity sha
group 21
prf sha
lifetime seconds 28800
both sides have the same phase 2 ipsec:
protocol esp encryption aes-256
protocol esp integrity sha-256
PA says he can see traffic passing, but I don't even see an attempt at phase1 negotiation.
ACL is made on my end.
crypto map is made on my end.
group policy is made on my end.
tunnel-group is made on my end.
ran the debug cry ikev2 pro and don't see an attempt at a handshake.
Not sure what is out of place.
any insight please???
what other info can I provide for any help?
03-12-2024 10:38 AM
@zietgiestt if the peer says the VPN is up, run show crypto ikev2 sa and show crypto ipsec sa from the CLI of the ASA and provide the output for review.
If there is no output then the tunnel is not up.
ASA IKEv2 troubleshooting guide - https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html
enable these debugs, generate some interesting traffic and provide the output for review.
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
Do you have a NAT exemption rule to ensure traffic is not unintentially translated?
Please provide your crypto and VPN ACL for review.
You could also run packet-tracer twice to simulate the traffic flow, provide the output from the second output.
03-12-2024 01:42 PM
Rob,
I've attached your requested info. As you can see a sh cry is sa shows nothing regarding the remote IP (170.103.X.X).
Shouldn't there be at least some attempts to negotiate the tunnel with some fails?
I may have let the debug run a little long.
What my peer is saying is not that the tunnel is up, but he can see packets passing back/forth over udp500.
Hope this helps you help me...appreciate it
03-12-2024 02:00 PM
@zietgiestt the debug output does not appear to be related to the PA VPN 170.103.X.X in question.
If the peer was sending traffic to you and assuming they have configured the correct IP address for your ASA, I'd expect to see something in the debug output (regardless of whether the configuration works or not).
Take a packet capture, filter on PA IP address and confirm from your end that there is communication between the PA IP address and your ASA. If not could there be something blocking communication in the path or the IP address is configured incorrectly.
03-12-2024 02:21 PM
Yes. That is what is frustrating me. I can see the log monitor that my peer can ping me so I know he has the correct IP, as do I.I will run a packet capture as you suggest.
I will post after. thanks @Rob Ingram
03-12-2024 12:43 PM
03-12-2024 02:11 PM
James,
Not truly familiar with the nat 0 statement. I do have a nat statement in place:
nat (inside,outside) source static WS_Tunnel_Tempel_Internal WS_Tunnel_Tempel_Internal destination static WS_Tunnel_WS_Internal WS_Tunnel_WS_Internal no-proxy-arp route-lookup
If I run a packet tracer sourced form an IP in the ACL to a remote IP, I see the untranslated hits climb 1 at a time.
23 (inside) to (outside) source static WS_Tunnel_Tempel_Internal WS_Tunnel_Tempel_Internal destination static WS_Tunnel_WS_Internal WS_Tunnel_WS_Internal no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 3
03-12-2024 07:38 PM
Interesting remote side see the traffic and you cant see even the phase 1.
try to capture the packet on the ASA.
capture VPN type isakmp ikev2 interface outside match ip host x.x.x.x host z.z.z.z
once the capture are filling up you can see them by using command show capture VPN.
as it will give you a good start to troubleshoot this.
03-13-2024 02:23 AM
Do the following
debug crypto condition peer x.x.x.x
then
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
MHM
05-02-2024 12:13 PM
Seems it was an issue with the PA and their ACL.
Was able to get the tunnel to come up.
Tanks for everyone's input...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide