cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11166
Views
30
Helpful
9
Replies

Paloalto FW and Cisco Router IPSec

MrBeginner
Spotlight
Spotlight

Hi,

i would like to check and let me know.I deployed IPSec tunnel with my cisco router and Paloalto FW using VTI.

After configuration , tunnel is up .Ike 2 sa is also ready . IPsec sa is also (Active/Active).Every things ok.

All traffic are pass through the tunnel.

But if i reboot the router or i unplug the wan link and plug again ,Tunnel is down. Tunnel didn't up automatically.I always remove "match certificate map" and put again that to up tunnel.Or i need to manually initiate from Paloalto FW. Do i need to manually initiate after rebooting?

My Paloalto FW is always show tunnel is up (phase 1 Ike and phase ipsec also) even though cisco router's tunnel protocol is down .

 

crypto pki trustpoint my-ca
enrollment terminal
serial-number none
fqdn r1.my.local
ip-address none
subject-name cn=r1.my.local
revocation-check none
rsakeypair local
!
crypto pki certificate map MAP
subject-name co myfw

crypto ikev2 proposal proposal
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy policy
proposal proposal
!
crypto ikev2 profile profile
description AWS-IKE2 profile
match certificate MAP
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint my-ca
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile IPSecProfile
set transform-set TS
set ikev2-profile profile
!
interface Tunnel0
ip address 1.1.1.18 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 1.10.10.18
tunnel protection ipsec profile IPSecProfile

interface GigabitEthernet0/0
description WAN LINK
ip address 1.1.1.2 255.255.255.252
shutdown
duplex auto
speed auto
!
router bgp 65200
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 55
neighbor 1.1.1.1 description ISP Peer
!
ip route 10.10.10.0 255.255.255.0 Tunnel0

 

 

2 Accepted Solutions

Accepted Solutions

Hi,
Ok, so the tunnel was working correct (authenticating with the certificate) before rebooting the router, after the reboot it fails to authenticate.

Reboot the router
- Check the clock on the router, is it accurate?
- Please provide the output of "show crypto pki certificates" before you re-enrol

View solution in original post

Hi,

Now i think i found the root case.Now i set ntp setting in router.After that the tunnel is always up whenever i restart. Thank for your help . But i don't know it is related my issue and it can solve in operation sites.

 

View solution in original post

9 Replies 9

Hi,
You should configure Dead Peer Detection (DPD) on both the router and PA firewall. To configure it on the router you can either configure it globally or alternatively under the IKEv2 Profile.

 

crypto ikev2 profile AWS-profile
 dpd 30 5 on-demand

OR

crypto ikev2 dpd 30 5 on-demand

 

Tune the interval/retry (30 5) as required. Do the same on the PA firewall, make sure the timer intervals match.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK

HTH

Hi,

this setting is only support in Ikev1 on paloalto firewall.if we us ikev2 we can only use tunnel mornitoring.But it is doesn't work.I use tunnel ip to mornitor but after rebooting router tunnel is still down and i remove cert map and wait a while and then put back this cert map tunnel is up. it is not formal way.

Hi,

Looks like on Palo Alto Firewalls IKEv2 DPD = Liveness check. This link here shows how to configure

 

Configure this on the PA, reboot the router and confirm whether this helps. If not please provide the full debugs from the router for analysis.

 

You may want to check on the PA whether there are still active IKEv2 SA's when the router is down

Hi,

I forgot to said detail problem. Now i tried to simulate error in my office.I got same error. i create one tunnel to Paloalto firewall and cisco router.

after reboot the router ,tunnel is down and debug message show that [PKI -> IKEv2] Getting of private key FAILED (SESSION ID = 1,SA ID = 1):: Failed to generate auth data: Failed to sign data.

I don't think it is DPD issue because if  i remove certificate and import again,Tunnel is up but if i rebooted the router ,tunnel is never comeback up.On site saturation,i have IPSec tunnel to DC 1 and DMVPN tunnel to DC 2.also,i got problem in IPSEC tunnel ,DMVPN tunnel is always up.please see below debug log and help me how to solve.

The error is here:

pr 24 04:18:32.142: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
*Apr 24 04:18:32.142: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key FAILED
*Apr 24 04:18:32.144: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Failed to generate auth data: Failed to sign data
*Apr 24 04:18:32.144: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
*Apr 24 04:18:32.144: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
*Apr 24 04:18:32.144: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
*Apr 24 04:18:32.145: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA

Can you verify both end Certifications?

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

hi ,

This problem if i delete certificate and import again in cisco router,the tunnel is up. I never change Paloalto Firewall side certificate.This problem is between PA firewall and cisco router only.cisco router and router is ok.

 

 

Hi,
Ok, so the tunnel was working correct (authenticating with the certificate) before rebooting the router, after the reboot it fails to authenticate.

Reboot the router
- Check the clock on the router, is it accurate?
- Please provide the output of "show crypto pki certificates" before you re-enrol

Hi,

Now i think i found the root case.Now i set ntp setting in router.After that the tunnel is always up whenever i restart. Thank for your help . But i don't know it is related my issue and it can solve in operation sites.

 

Hi,

An accurate clock is critical when authenticating with certificates. The certificates are valid between start and end dates, if the clock is incorrect, authentication will fail. You should ensure all routers are sync'd via NTP, ideally from the same source.

HTH
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: