I'm trying to get a couple of engineers to set up a site to site VPN up for me. I cannot see the actual firewall CLI or GUI. Our side is an ASA and the other side is a Palo alto. The phase 1 and 2 parameters seem to be correct however the tunnel is not coming up. The engineer at the ASA side cannot give me much information however the palo alto engineer is telling me that his firewall is complaining about peer ID:
0x104d5420 vendor id payload ignored
ignoring unauthenticated notify payload
The problem is, I know what the Peer ip address is but i've never configured a peer ID on an ASA nor is one configured on the device for the problem above.
Can someone help to explain why this is happening please.
We do not have much information to go on here. So let me make some general comments and suggestions.
- on ASA you configure peer ID in the crypto map using the command set peer <address>
and, assuming authentication using shared keys, you also need to configure a shared key for that peer address.
- from the information provided I can not tell whether the Palo Alto is complaining about invalid peer ID or is complaining about authentication failure for the configured ID. Perhaps you might get some clarification.
Can you ask the engineer on the ASA side to enable debug crypto isakmp 200, attempt some testing, and ask the engineer for any debug output that was produced. Perhaps that might help us understand whether negotiation is being attempted, and if it is failing, then at what point is it failing.
please use the document below. It has the whole config for site to site on an ASA.
PS: Please don't forget to rate and select as validated answer if this answered your question
There is no much information on this, however looking at the explanation possible 2 issues which i can point based on my past experience.
++ If ASA is Behind the NAT device and PAN is configured for Public IP as identity it will cause the failure.
++ If pre-shared key is wrong, in my past experience i see this kind of logs.
Lets me know if this helps.
the local ip is being NAT'd on the ASA to a public IP address. However the palo alto firewall at the other end has a different peer address (outside int) for the ASA firewall. Is that an issue?
According to the explanation ASA is behind the NAT device.
PA1 ----- PA_NAT ----- ASA
Public IP of PA1 - 172.16.9.163
Public IP of ASA - 172.16.9.160
Public IP of PA_NAT - 172.16.9.171
In PAN you should mention PEER Identity as 172.16.9.160.
Below is the article I referred from PAN KB, hope this helps.