cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2188
Views
9
Helpful
24
Replies

Site to site VPN between Cisco router and Palo alto

MriduD
Level 1
Level 1
we have a policy-based site-to-site VPN between cisco router and palo alto. But the tunnel goes down and doesn't come up after the IPsec lifetime is expired. And tunnel only comes up after sending traffic from cisco to palo alto and not the other way. When The devices under the Cisco LAN subnet(192.168.2.0/24) try to communicate with the server (under the PA LAN subnet, 10.1.1.0/24), the tunnel doesn't come up. DPD and lifetime are already configured on both the Cisco router and PA.

 

3 Accepted Solutions

Accepted Solutions

No need to config Router as redponder

Also you need one more command 

Ip sla schedule <ip sla number> life forever start now

View solution in original post

Good to know ip sla stable with tunnel connection.

@paul driver he also mentioned good point, if we know palo side configuration, there may be tweak to be done to keep the tunnel on always. 

you can choose best suites your needs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Thank you sir @balaji.bandi

I manage both the cisco router and the panorama. But, i am still a newbie, still learning and a lot to learn. If the cisco ip sla wouldn't have worked, I would have tried setting up tunnel monitoring as advised by @paul driver sir.

View solution in original post

24 Replies 24

balaji.bandi
Hall of Fame
Hall of Fame

 

But the tunnel goes down and doesn't come up after the IPsec lifetime is expired

Also what Logs you see on the router when the tunnel go down ?

Do you have PFS configured ?

you can also do EEM Script to generate Traffic to ping other end IP keep the tunnel come up.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for your input.

PFS is configured.

I am not sure about eem scripting. Please help by sharing any articles you have which can help me understand and create eem script. 

as you mentioned IP SLA also does the job. 

EEM Script helpful even if the tunnel go down based on the logs you can initiate the traffic again.

let me know if you looking that EEM script. (still ip sla not solve the issue)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Good to know ip sla stable with tunnel connection.

@paul driver he also mentioned good point, if we know palo side configuration, there may be tweak to be done to keep the tunnel on always. 

you can choose best suites your needs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you sir @balaji.bandi

I manage both the cisco router and the panorama. But, i am still a newbie, still learning and a lot to learn. If the cisco ip sla wouldn't have worked, I would have tried setting up tunnel monitoring as advised by @paul driver sir.

this is classic issue I see it a lot, 

the issue is Cisco is initiator and Palo is responder and only initiator build Child SA 
the only solution is run IP SLA in deceive behind the Cisco make always Cisco initiate traffic and build CA

MHM

Thank you, Sir. I thought so. Cisco has to be the initiator. But, I am not sure if I can configure the router to be the responder.

 

 

https://www.practicalnetworking.net/stand-alone/cisco-ip-sla-using-a-cisco-router-to-generate-traffic/

 

Please advise if the above article would be helpful.

Initiator of SA <<- check this in 
show crypto ikev2 sa detail 

for link you share it is excellent 
you need only IP SLA icmp echo 

if you face other issue let me know 

thank

Screenshot (534).png

Sure. I'll configure it.

Yeah, in that output I could see Cisco being the initiator. Is there a way to make it the responder?

Yeah, in that output I could see Cisco being the initiator. Is there a way to make it the responder? <<- if the client behind the cisco and server behind the Palo so sorry there is no way, because always the initiator of traffic is client and hence cisco is always select as initiator of IKEv2

this my lab I share here for you 
R1 run IP SLA to make IKEv2 session UP always 
the IP SLA icmp echo source from the IP in R1 toward R5 (LAN behind Peer of IKEv2 R2)
MHM

Screenshot (535).pngScreenshot (536).pngScreenshot (537).png

Sir, Are these additional parameters required to be configured? Ipsec lifetime expires in 3600 seconds. What values should I configure within the IP sla for the parameters below?

 frequency    Frequency of an operation
  timeout      Timeout of an operation
  threshold    Operation threshold in milliseconds

 

Keep it defualt' we modify these settings only in case we try to detect isp link flapping so we tune timer to detect flapping in part of sec.

The ipsec timer is more more longe and default of ip sla is ok for it.

MHM

This is what i configured on one of the routers :


denton(config-ip-sla)#icmp-echo 10.54.4.68 source-interface vlan 1
denton(config-ip-sla-echo)#frequency 3600
denton(config-ip-sla-echo)#timeout 5200
denton(config-ip-sla-echo)#threshold 500
denton(config-ip-sla-echo)#
denton(config-ip-sla-echo)#
denton(config-ip-sla-echo)#exi

 

When you say use default, should I do it this way as shown below? I am sorry for all these absurd questions. 

grapevine(config-ip-sla)#icmp-echo 10.54.4.68 source-interface vlan 1
grapevine(config-ip-sla-echo)#
grapevine(config-ip-sla-echo)#
grapevine(config-ip-sla-echo)#?
IP SLAs Icmp Echo Configuration Commands:
default Set a command to its defaults
exit Exit operation configuration
frequency Frequency of an operation
history History and Distribution Data
no Negate a command or set its defaults
owner Owner of Entry
request-data-size Request data size
tag User defined tag
threshold Operation threshold in milliseconds
timeout Timeout of an operation
tos Type Of Service
verify-data Verify data
vrf Configure IP SLAs for a VPN Routing/Forwarding instance

grapevine(config-ip-sla-echo)#de
grapevine(config-ip-sla-echo)#default ?
frequency Frequency of an operation
history History and Distribution Data
owner Owner of Entry
request-data-size Request data size
tag User defined tag
threshold Operation threshold in milliseconds
timeout Timeout of an operation
tos Type Of Service
verify-data Verify data
vrf Configure IP SLAs for a VPN Routing/Forwarding instance

grapevine(config-ip-sla-echo)#default ?
frequency Frequency of an operation
history History and Distribution Data
owner Owner of Entry
request-data-size Request data size
tag User defined tag
threshold Operation threshold in milliseconds
timeout Timeout of an operation
tos Type Of Service
verify-data Verify data
vrf Configure IP SLAs for a VPN Routing/Forwarding instance

grapevine(config-ip-sla-echo)#default fr
grapevine(config-ip-sla-echo)#default frequency ?
<cr>

grapevine(config-ip-sla-echo)#default frequency

@MHM Cisco World Do I have to configure the the cisco router as IP sla responder as well? I did configure the IP sla but it went down. 

#sh ip sla summary
IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending

ID Type Destination Stats Return Last
(ms) Code Run
-----------------------------------------------------------------------
*1 icmp-echo 10.54.4.68 - Timeout 2 minutes, 40
seconds ago

Review Cisco Networking for a $25 gift card