07-16-2018 09:20 AM - edited 03-05-2019 10:46 AM
I have an IPsec LAN-to-LAN tunnel between a Cisco router and a Palo Alto FW. The tunnel remains UP-ACTIVE if there is interesting traffic - The tunnels goes down if there is no interesting traffic. The problem I am having is that I cannot bring the tunnel up from the Cisco side - If I initiate a ping from the Cisco side to go through the VPN, this will not bring the tunnel up. If I initiate the ping from the Palo Alto side then the tunnel comes up.
How do I have to configure the Cisco router to keep the tunnerl UP-ACTIVE at all time?
How can I bring the tunnel up from the Cisco router side?
rypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 28400
crypto isakmp key MYVPN! address x.x.x.x
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto map MYMAP 10 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 65000
set transform-set MYSET
match address Dublin_Subnet
ip access-list extended Dublin_Subnet
permit ip host 192.168.100.1 host 10.117.0.160 log
!
07-16-2018 09:32 AM
07-16-2018 09:38 AM
This is a loopback on the local router for testing - When the tunnel is up and running I can ping across using the source loopback interface.
Loopback on local router: 192.168.100.1
IP on the remote side: 10.117.0.160
Cactus-01#ping 10.117.0.160 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.117.0.160, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/39/48 ms
07-16-2018 09:51 AM
07-16-2018 10:02 AM
See attached for the log file.
I disconnected the tunnel and it did not connect back:
Cactus-01#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1
Session status: UP-ACTIVE
Peer: x.x.x.x port 500
IKEv1 SA: local x.x.x.x/500 remote x.x.x.x/500 Active
IPSEC FLOW: permit ip host 192.168.100.1 host 10.117.0.160
Active SAs: 2, origin: crypto map
Cactus-01#clear crypto session
Cactus-01#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: x.x.x.x port 500
IKEv1 SA: local x.x.x.x/500 remote x.x.x.x/500 Inactive
IPSEC FLOW: permit ip host 192.168.100.1 host 10.117.0.160
Active SAs: 0, origin: crypto map
nterface: GigabitEthernet0/1
Session status: DOWN
Peer: x.x.x.x port 500
IPSEC FLOW: permit ip host 192.168.100.1 host 10.117.0.160
Active SAs: 0, origin: crypto map
07-16-2018 10:57 AM
07-16-2018 11:43 AM
Can you check with the administrator of the Palo Alto and verify that their configuration does not specify their role is originator?
I agree that seeing debug output from your machine would probably be helpful, especially at this point the debug for ISAKMP.
HTH
Rick
07-16-2018 01:04 PM
Hello Richard, As per the admin of the Palo - The Palo is not the originator. In addition, the ACL matches on both ends. I attached a new set of log in the previous reply.
07-16-2018 01:18 PM
The log that you posted has very interesting information in it. Going through the log I see that negotiation for ISAKMP begins, proceeds, and seems to complete the phase 1 negotiation successfully. But then your router receives a message from the Palo Alto that it should terminate the session
So it looks to me like your side is ok and that something on the Palo Alto is the cause of the issue. Can they run some debugs or other diagnostics and perhaps identify why they are sending the message to terminate the session?
HTH
Rick
07-16-2018 01:02 PM
See attached for the new log:
Cactus-01#sh debugging
Generic IP:
ICMP packet debugging is on
TELNET:
Incoming Telnet debugging is on
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
Crypto IPSEC states debugging is on
Crypto IPSEC message debugging is on
Crypto Key Management Interface debugging is on
IKEV2:
IKEv2 error debugging is on
IKEv2 default debugging is on
IKEv2 packet debugging is on
Cactus-01#
Cactus-01#sh run int gig0/1
Building configuration...
Current configuration : 121 bytes
!
interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
duplex auto
speed auto
crypto map MYMAP
end
Cactus-01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cactus-01(config)#int gig0/1
Cactus-01(config-if)#no crypto map MYMAP
Cactus-01(config-if)#crypto map MYMAP
Cactus-01(config-if)#exi
Cactus-01(config)#exi
Cactus-01#ping 10.117.0.160 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.117.0.160, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
.....
Success rate is 0 percent (0/5)
Cactus-01#sh cry
Cactus-01#sh crypto sess
Cactus-01#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: x.x.x.x port 500
IKEv1 SA: local x.x.x.x/500 remote x.x.x.x/500 Inactive
IPSEC FLOW: permit ip host 192.168.100.1 host 10.117.0.160
Active SAs: 0, origin: crypto map
Cactus-01#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1
Session status: DOWN
Peer: x.x.x.x port 500
IPSEC FLOW: permit ip host 192.168.100.1 host 10.117.0.160
Active SAs: 0, origin: crypto map
07-16-2018 01:08 PM
Hello,
Cactus-01#ping 10.117.0.160 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.117.0.160, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
.....
Success rate is 0 percent (0/5)
Can you even ping without the crypto map ? Post the full config of your router...
07-16-2018 01:35 PM
07-16-2018 01:02 PM
See attached for the new log:
Cactus-01#sh debugging
Generic IP:
ICMP packet debugging is on
TELNET:
Incoming Telnet debugging is on
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
Crypto IPSEC states debugging is on
Crypto IPSEC message debugging is on
Crypto Key Management Interface debugging is on
IKEV2:
IKEv2 error debugging is on
IKEv2 default debugging is on
IKEv2 packet debugging is on
Cactus-01#
Cactus-01#sh run int gig0/1
Building configuration...
Current configuration : 121 bytes
!
interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
duplex auto
speed auto
crypto map MYMAP
end
Cactus-01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cactus-01(config)#int gig0/1
Cactus-01(config-if)#no crypto map MYMAP
Cactus-01(config-if)#crypto map MYMAP
Cactus-01(config-if)#exi
Cactus-01(config)#exi
Cactus-01#ping 10.117.0.160 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.117.0.160, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
.....
Success rate is 0 percent (0/5)
Cactus-01#sh cry
Cactus-01#sh crypto sess
Cactus-01#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: x.x.x.x port 500
IKEv1 SA: local x.x.x.x/500 remote x.x.x.x/500 Inactive
IPSEC FLOW: permit ip host 192.168.100.1 host 10.117.0.160
Active SAs: 0, origin: crypto map
Cactus-01#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1
Session status: DOWN
Peer: x.x.x.x port 500
IPSEC FLOW: permit ip host 192.168.100.1 host 10.117.0.160
Active SAs: 0, origin: crypto map
07-16-2018 12:38 PM
Hello,
on a side note, with Cisco to Cisco site to site VPNs, the access lists specifying the interesting traffic should mirror each other, I am not sure if that is a requirement for Cisco to Palo Alto as well, but you might want to check what is configured on the Palo Alto side...
07-16-2018 01:56 PM
Hello,
I just checked a few PA configs, I am not sure if the Palo Altos support periodic keepalives, I think they require a value. So that means you would have to replace 'periodic' with a value (default is 5 I think):
crypto isakmp keepalive 10 periodic
crypto isakmp keepalive 10 5
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide