cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1896
Views
1
Helpful
2
Replies

IKEv2 error NO_PROPOSAL_CHOOSEN with Palo alto

Binoy
Level 1
Level 1

Hi,

 

I am trying to set up a site to site VPN for one of our client with palo alto. However VPN phase 1 is not coming up and when I ran debug I am getting NO_PROPOSAL_CHOOSEN error even though both side are configured poperly

 

setup is like below

 

|| HQ site - CiscoASA10.1.1.1===> CiscoASA 200.1.1.1|| ===========================||Client palo alto (202.1.1.1)||

The IP addresses are exmple

  • Internal asa private IP address is NATed to public IP address of Internet ASA 
  • Palo alto is the client side device
  • Both sides are configured with same algorithms but I could not see any configuration session for prf in palo alto. is it possible to disable it in ASA? whether the palo alto is using a default prf?

 

someone, please help

 

 

2 Replies 2

ahmadzubair654
Level 1
Level 1

Were you able to resolve? running into same issue.

 

Thanks

robert.s
Level 1
Level 1

I had the same issue. 

It turned out that the Palo Alto device was expecting prf sha256 and the ASA defaulted to prf sha.  I did not have hands-on access to the PA device, but I was provided their debug log to review and we had a session where I watched the PA device get configured.  I didn't see a setting specific to prf on that side as they configured the device but the logs clearly showed that the peer (my Cisco ASA) was offering sha1.  It didn't show if it was for the integrity or prf value in the log, however, the only setting on the ASA that offered sha1 (i.e. sha) was prf.  Once I change the ASA to prf sha256, the tunnel came up. 

The only setting in the

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: