cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
205
Views
0
Helpful
2
Replies

Cisco ASA to PALO alto tunnel IKEV2 behind NAT device Source NAT

jai.s401
Beginner
Beginner

Build a s2s tunnel to palo alto from cisco ASA.

172.x.x.x------[ASA]-192.x.x.x -- [FortiWAN]--14.x.x.x --- {Internet} --- 198.x.x.x[Palo Alto]--10.x.x.x

The outside interface of the ASA is a private segment (192.x.x.x) and the Load balancer is terminated with the public IP of 14.x.x.x
The Interesting traffic are in 172.x.x.x in ASA and 10.x.x.x in palo alto
The ASA is behind the LoadBalancer FortiWAN (NAT) device.


The tunnel didn't came up, when having remote troubleshooting session, the peer end palo alto says, they are expecting the phase traffic as well
from the same public IP address exactly (14.x.x.x) not in the same segment but the same IP.

The Questions are.

1.Is this possible. If yes how?
2.I have many tunnels with the proposal of my local gateway as 14.x.x.x,
If i NAT the private address to the Public IP 14.x.x.x will it collapse all other tunnels.
3.I have public WAN pool Address 14.x.x.1, 14.x.x.2... etc., can i use one those to IPs to NAT my private IPs and give it to peer end.

4. During debug the peer end says they are getting phase 2 traffic from 192.x.x.x (ASA's outside interface IP) what might be the issue

how to get this Done.


ASA 5516X version 9.16(4)
IKEv2.

 

the debug logs are attached.

@cisco asa, @palo alto @source NAT

2 Replies 2

can I see the full config of ASA ?

Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor

Your ASA and Pala Alto showing these logs in debug. The PSK is used for identity on ASA.

IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-4: (444): Stopping timer to wait for auth message
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (444): Checking NAT discovery
IKEv2-PROTO-4: (444): NAT INSIDE found
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHG_NAT_T_PORT
IKEv2-PROTO-4: (444): NAT detected float to init port 4500, resp port 4500
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
IKEv2-PROTO-7: (444): Received valid parameteres in process id
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_OK_RECD_EXTDB_RESP
IKEv2-PROTO-4: (444): Searching policy based on peer's identity '34.157.146.197' of type 'IPv4 address'
IKEv2-PROTO-2: (444): Failed to locate an item in the database
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-4: (444): Verification of peer's authentication data FAILED
IKEv2-PROTO-4: (444): Sending authentication failure notify

this could be most probably the PSK is not matching? could you double check if the PSK on both side is accurate. Plus your ASA knew he is sitting behind the NAT device in this case it the Fortinet.

 

 

ASA to Avya we see the log entry

TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 0.0.0.0, end addr: 255.255.255.255
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 0.0.0.0, end addr: 255.255.255.255




IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-4: (444): Stopping timer to wait for auth message
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (444): Checking NAT discovery
IKEv2-PROTO-4: (444): NAT INSIDE found
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHG_NAT_T_PORT
IKEv2-PROTO-4: (444): NAT detected float to init port 4500, resp port 4500
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
IKEv2-PROTO-7: (444): Received valid parameteres in process id
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_OK_RECD_EXTDB_RESP


IKEv2-PROTO-4: (444): Searching policy based on peer's identity '34.157.146.197' of type 'IPv4 address'
IKEv2-PROTO-2: (444): Failed to locate an item in the database
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-4: (444): Verification of peer's authentication data FAILED
IKEv2-PROTO-4: (444): Sending authentication failure notify

Firewall is unable to locate "Failed to locate an item in the database, Verification of peer's authentication data FAILED"

Check if both side are configured as PSK.

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers