07-16-2018 09:20 AM - edited 03-05-2019 10:46 AM
I have an IPsec LAN-to-LAN tunnel between a Cisco router and a Palo Alto FW. The tunnel remains UP-ACTIVE if there is interesting traffic - The tunnels goes down if there is no interesting traffic. The problem I am having is that I cannot bring the tunnel up from the Cisco side - If I initiate a ping from the Cisco side to go through the VPN, this will not bring the tunnel up. If I initiate the ping from the Palo Alto side then the tunnel comes up.
How do I have to configure the Cisco router to keep the tunnerl UP-ACTIVE at all time?
How can I bring the tunnel up from the Cisco router side?
rypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 28400
crypto isakmp key MYVPN! address x.x.x.x
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto map MYMAP 10 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 65000
set transform-set MYSET
match address Dublin_Subnet
ip access-list extended Dublin_Subnet
permit ip host 192.168.100.1 host 10.117.0.160 log
!
07-16-2018 06:16 PM
All, this has been resolved. The Palo was using "set pfs group5" - I added this config and the tunnel comes up and stays up.
07-17-2018 07:50 AM
Thanks for posting back to the forum and telling us that the issue is resolved and that the problem was a mismatch in configuration of pfs. +5 for solving your own problem. It is a very good thing when someone asks the forum for help with a problem and then is able to find the solution themselves. Congratulations.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide