Solved: Site to site VPN between Cisco router and Palo alto

MriduD · ‎05-31-2024

we have a policy-based site-to-site VPN between cisco router and palo alto. But the tunnel goes down and doesn't come up after the IPsec lifetime is expired. And tunnel only comes up after sending traffic from cisco to palo alto and not the other way. When The devices under the Cisco LAN subnet(192.168.2.0/24) try to communicate with the server (under the PA LAN subnet, 10.1.1.0/24), the tunnel doesn't come up. DPD and lifetime are already configured on both the Cisco router and PA.

MHM Cisco World · ‎06-02-2024

No need to config Router as redponder

Also you need one more command

Ip sla schedule <ip sla number> life forever start now

View solution in original post

balaji.bandi · ‎06-04-2024

Good to know ip sla stable with tunnel connection.

@paul driver he also mentioned good point, if we know palo side configuration, there may be tweak to be done to keep the tunnel on always.

you can choose best suites your needs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

MriduD · ‎06-05-2024

Thank you sir @balaji.bandi

I manage both the cisco router and the panorama. But, i am still a newbie, still learning and a lot to learn. If the cisco ip sla wouldn't have worked, I would have tried setting up tunnel monitoring as advised by @paul driver sir.

View solution in original post

balaji.bandi · ‎05-31-2024

But the tunnel goes down and doesn't come up after the IPsec lifetime is expired

Also what Logs you see on the router when the tunnel go down ?

Do you have PFS configured ?

you can also do EEM Script to generate Traffic to ping other end IP keep the tunnel come up.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MriduD · ‎06-01-2024

Thank you for your input.

PFS is configured.

I am not sure about eem scripting. Please help by sharing any articles you have which can help me understand and create eem script.

balaji.bandi · ‎06-01-2024

as you mentioned IP SLA also does the job.

EEM Script helpful even if the tunnel go down based on the logs you can initiate the traffic again.

let me know if you looking that EEM script. (still ip sla not solve the issue)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎06-04-2024

Good to know ip sla stable with tunnel connection.

@paul driver he also mentioned good point, if we know palo side configuration, there may be tweak to be done to keep the tunnel on always.

you can choose best suites your needs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MriduD · ‎06-05-2024

Thank you sir @balaji.bandi

I manage both the cisco router and the panorama. But, i am still a newbie, still learning and a lot to learn. If the cisco ip sla wouldn't have worked, I would have tried setting up tunnel monitoring as advised by @paul driver sir.

MHM Cisco World · ‎06-01-2024

this is classic issue I see it a lot,

the issue is Cisco is initiator and Palo is responder and only initiator build Child SA
the only solution is run IP SLA in deceive behind the Cisco make always Cisco initiate traffic and build CA

MHM

MriduD · ‎06-01-2024

Thank you, Sir. I thought so. Cisco has to be the initiator. But, I am not sure if I can configure the router to be the responder.

https://www.practicalnetworking.net/stand-alone/cisco-ip-sla-using-a-cisco-router-to-generate-traffic/

Please advise if the above article would be helpful.

MHM Cisco World · ‎06-01-2024

Initiator of SA <<- check this in
show crypto ikev2 sa detail

for link you share it is excellent
you need only IP SLA icmp echo

if you face other issue let me know

thank

MriduD · ‎06-01-2024

Sure. I'll configure it.

Yeah, in that output I could see Cisco being the initiator. Is there a way to make it the responder?

MHM Cisco World · ‎06-01-2024

Yeah, in that output I could see Cisco being the initiator. Is there a way to make it the responder? <<- if the client behind the cisco and server behind the Palo so sorry there is no way, because always the initiator of traffic is client and hence cisco is always select as initiator of IKEv2

this my lab I share here for you
R1 run IP SLA to make IKEv2 session UP always
the IP SLA icmp echo source from the IP in R1 toward R5 (LAN behind Peer of IKEv2 R2)
MHM

Screenshot (535).png Screenshot (536).png Screenshot (537).png

MriduD · ‎06-02-2024

Sir, Are these additional parameters required to be configured? Ipsec lifetime expires in 3600 seconds. What values should I configure within the IP sla for the parameters below?

 frequency    Frequency of an operation
  timeout      Timeout of an operation
  threshold    Operation threshold in milliseconds

MHM Cisco World · ‎06-02-2024

Keep it defualt' we modify these settings only in case we try to detect isp link flapping so we tune timer to detect flapping in part of sec.

The ipsec timer is more more longe and default of ip sla is ok for it.

MHM

MriduD · ‎06-02-2024

This is what i configured on one of the routers :

denton(config-ip-sla)#icmp-echo 10.54.4.68 source-interface vlan 1
denton(config-ip-sla-echo)#frequency 3600
denton(config-ip-sla-echo)#timeout 5200
denton(config-ip-sla-echo)#threshold 500
denton(config-ip-sla-echo)#
denton(config-ip-sla-echo)#
denton(config-ip-sla-echo)#exi

When you say use default, should I do it this way as shown below? I am sorry for all these absurd questions.

grapevine(config-ip-sla)#icmp-echo 10.54.4.68 source-interface vlan 1
grapevine(config-ip-sla-echo)#
grapevine(config-ip-sla-echo)#
grapevine(config-ip-sla-echo)#?
IP SLAs Icmp Echo Configuration Commands:
default Set a command to its defaults
exit Exit operation configuration
frequency Frequency of an operation
history History and Distribution Data
no Negate a command or set its defaults
owner Owner of Entry
request-data-size Request data size
tag User defined tag
threshold Operation threshold in milliseconds
timeout Timeout of an operation
tos Type Of Service
verify-data Verify data
vrf Configure IP SLAs for a VPN Routing/Forwarding instance

grapevine(config-ip-sla-echo)#de
grapevine(config-ip-sla-echo)#default ?
frequency Frequency of an operation
history History and Distribution Data
owner Owner of Entry
request-data-size Request data size
tag User defined tag
threshold Operation threshold in milliseconds
timeout Timeout of an operation
tos Type Of Service
verify-data Verify data
vrf Configure IP SLAs for a VPN Routing/Forwarding instance

grapevine(config-ip-sla-echo)#default ?
frequency Frequency of an operation
history History and Distribution Data
owner Owner of Entry
request-data-size Request data size
tag User defined tag
threshold Operation threshold in milliseconds
timeout Timeout of an operation
tos Type Of Service
verify-data Verify data
vrf Configure IP SLAs for a VPN Routing/Forwarding instance

grapevine(config-ip-sla-echo)#default fr
grapevine(config-ip-sla-echo)#default frequency ?
<cr>

grapevine(config-ip-sla-echo)#default frequency

MriduD · ‎06-02-2024

@MHM Cisco World Do I have to configure the the cisco router as IP sla responder as well? I did configure the IP sla but it went down.

#sh ip sla summary
IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending

ID Type Destination Stats Return Last
(ms) Code Run
-----------------------------------------------------------------------
*1 icmp-echo 10.54.4.68 - Timeout 2 minutes, 40
seconds ago