ASA 9 vpn to Palo ALto

opnineopnine · ‎07-21-2015

Hi all,

I'm working with my asa v9 and with a remote site with Palo Alto , I'm trying to get a site to site vpn (dynamic) but I get rejected in Phase 1.

Any ideas?

thanks

Dinesh Moudgil · ‎07-21-2015

Hi ,

Few things to confirm:-
1. Phase 1 configuration from both the firewalls.
2. Which side is having static IP.

For Phase 1

On Palo Alto:
Go to this path : Network > IKE Crypto , "check the phase 1 profile"

Make sure the profile chosen in above path is same as the profile called in "IKE Gateways > Advanced options" for that specific tunnel.

On ASA:
show run crypto ikev1

Also, running simultaneous debugs on both the firewalls will be helpful:

On Palo Alto
1. tail follow yes mp-log ikemgr.log

2. Go to Monitor > System >
In the search field , type "( subtype eq vpn )" to filter the logs.

3. Initiate the tunnel.

4. Check the output of 1st and 2nd.

On ASA:
1.
debug crypto condition peer x.x.x.x (ip of remote peer)
debug crypto isakmp 200
debug crypto ipsec 200

Here is a document that you can refer to verify the VPN tunnel on both firewalls:-
https://live.paloaltonetworks.com/docs/DOC-3464

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

opnineopnine · ‎07-22-2015

Hello,

Sorry for the delay to answer, the dynamic will be in the ASA side.

Thanks.

Dinesh Moudgil · ‎07-22-2015

Thanks for the update,

Did you get a chance to verify the above mentioned things on the firewalls ?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

opnineopnine · ‎07-24-2015

Hello Dinesh,

Sorry for the delay , I will have that checked today, what I found out, is that the customer,

In the Ipsec crypto profile is using DH group 2 and in the IKE Crypto Profile is using DH group 5 changed both to DH group2 , but will the same issue.

thanks.

Dinesh Moudgil · ‎07-24-2015

Matching IPSec and ISAKMP paramters on the same device won't make a difference as most likely phase 1 parameters are not matching on both the firewalls.

Can you run the debug commands mentioned in the first thread and share the outputs.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

opnineopnine · ‎07-29-2015

Hello Dinesh,

Im still with the same issue, and I put both devices in the same switch did a basic configuration on both, in the ASA I configured an ACL permit any any , but when I do a ping from PAN to the ASA I don´t get any answer.

Any ideas?

Thanks

Dinesh Moudgil · ‎07-29-2015

1. Are you pinging the ASA directly or sourcing it from the interface which is connected to switch ?
On PA, try "ping source "external interface" host "ASA's IP" "
2. Make sure you have got interface management profile on Palo Alto to allow ICMP.

When you initiate pings from PAN to ASA.
Run a capture on ASA on outside interface and check whether the packets are reaching or not.

Share the output of the following command:-
capture capi interface outside match ip host <PA firewall's IP> host <ASA's external IP>

Regards,
Dinesh Moudgil

P.S. Please rate helpful post.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

opnineopnine · ‎08-03-2015

Hello Dinesh,

I configured in the mgmt interface from the PAN the ping, ssh, icmp , but still cant make it work.

thanks

Dinesh Moudgil · ‎08-03-2015

Please confirm whether you see the the arp entry created for PA firewall on switch and the ASA as well.

For testing , initiate traffic from ASA and take captures on PA firewall to confirm whether they are getting dropped or not. If you do not see any packets , then most probably packets are not even making it to the PA device.

Here is the link for taking captures on PA firewalls.
You can

Regards,
Dinesh Moudgil

P.S. Please rate helpful post.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/