08-13-2022 12:39 PM
Build a s2s tunnel to palo alto from cisco ASA.
172.x.x.x------[ASA]-192.x.x.x -- [FortiWAN]--14.x.x.x --- {Internet} --- 198.x.x.x[Palo Alto]--10.x.x.x
The outside interface of the ASA is a private segment (192.x.x.x) and the Load balancer is terminated with the public IP of 14.x.x.x
The Interesting traffic are in 172.x.x.x in ASA and 10.x.x.x in palo alto
The ASA is behind the LoadBalancer FortiWAN (NAT) device.
The tunnel didn't came up, when having remote troubleshooting session, the peer end palo alto says, they are expecting the phase traffic as well
from the same public IP address exactly (14.x.x.x) not in the same segment but the same IP.
The Questions are.
1.Is this possible. If yes how?
2.I have many tunnels with the proposal of my local gateway as 14.x.x.x,
If i NAT the private address to the Public IP 14.x.x.x will it collapse all other tunnels.
3.I have public WAN pool Address 14.x.x.1, 14.x.x.2... etc., can i use one those to IPs to NAT my private IPs and give it to peer end.
4. During debug the peer end says they are getting phase 2 traffic from 192.x.x.x (ASA's outside interface IP) what might be the issue
how to get this Done.
ASA 5516X version 9.16(4)
IKEv2.
the debug logs are attached.
@cisco asa, @palo alto @source NAT
08-13-2022 02:57 PM - edited 08-15-2022 04:34 AM
can I see the full config of ASA ?
08-15-2022 03:21 AM
Your ASA and Pala Alto showing these logs in debug. The PSK is used for identity on ASA.
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-4: (444): Stopping timer to wait for auth message
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (444): Checking NAT discovery
IKEv2-PROTO-4: (444): NAT INSIDE found
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHG_NAT_T_PORT
IKEv2-PROTO-4: (444): NAT detected float to init port 4500, resp port 4500
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
IKEv2-PROTO-7: (444): Received valid parameteres in process id
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_OK_RECD_EXTDB_RESP
IKEv2-PROTO-4: (444): Searching policy based on peer's identity '34.157.146.197' of type 'IPv4 address'
IKEv2-PROTO-2: (444): Failed to locate an item in the database
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-4: (444): Verification of peer's authentication data FAILED
IKEv2-PROTO-4: (444): Sending authentication failure notify
this could be most probably the PSK is not matching? could you double check if the PSK on both side is accurate. Plus your ASA knew he is sitting behind the NAT device in this case it the Fortinet.
ASA to Avya we see the log entry
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-4: (444): Stopping timer to wait for auth message
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (444): Checking NAT discovery
IKEv2-PROTO-4: (444): NAT INSIDE found
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHG_NAT_T_PORT
IKEv2-PROTO-4: (444): NAT detected float to init port 4500, resp port 4500
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
IKEv2-PROTO-7: (444): Received valid parameteres in process id
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_OK_RECD_EXTDB_RESP
IKEv2-PROTO-4: (444): Searching policy based on peer's identity '34.157.146.197' of type 'IPv4 address'
IKEv2-PROTO-2: (444): Failed to locate an item in the database
IKEv2-PROTO-7: (444): SM Trace-> SA: I_SPI=55DA711E8A726DFF R_SPI=64433DAC65C18774 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-4: (444): Verification of peer's authentication data FAILED
IKEv2-PROTO-4: (444): Sending authentication failure notify
Firewall is unable to locate "Failed to locate an item in the database, Verification of peer's authentication data FAILED"
Check if both side are configured as PSK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide