08-07-2019 02:19 AM
Hi Everyone
I'm trying to get a couple of engineers to set up a site to site VPN up for me. I cannot see the actual firewall CLI or GUI. Our side is an ASA and the other side is a Palo alto. The phase 1 and 2 parameters seem to be correct however the tunnel is not coming up. The engineer at the ASA side cannot give me much information however the palo alto engineer is telling me that his firewall is complaining about peer ID:
0x104d5420 vendor id payload ignored
ignoring unauthenticated notify payload
The problem is, I know what the Peer ip address is but i've never configured a peer ID on an ASA nor is one configured on the device for the problem above.
Can someone help to explain why this is happening please.
Thanks
08-09-2019 10:42 AM
We do not have much information to go on here. So let me make some general comments and suggestions.
- on ASA you configure peer ID in the crypto map using the command set peer <address>
and, assuming authentication using shared keys, you also need to configure a shared key for that peer address.
- from the information provided I can not tell whether the Palo Alto is complaining about invalid peer ID or is complaining about authentication failure for the configured ID. Perhaps you might get some clarification.
Can you ask the engineer on the ASA side to enable debug crypto isakmp 200, attempt some testing, and ask the engineer for any debug output that was produced. Perhaps that might help us understand whether negotiation is being attempted, and if it is failing, then at what point is it failing.
HTH
Rick
08-09-2019 10:00 PM
Hello
please use the document below. It has the whole config for site to site on an ASA.
Regards
Shikha Grover
PS: Please don't forget to rate and select as validated answer if this answered your question
08-10-2019 01:15 AM
Hi,
There is no much information on this, however looking at the explanation possible 2 issues which i can point based on my past experience.
++ If ASA is Behind the NAT device and PAN is configured for Public IP as identity it will cause the failure.
++ If pre-shared key is wrong, in my past experience i see this kind of logs.
Lets me know if this helps.
Regards
Swj
08-13-2019 07:29 AM
Hi
the local ip is being NAT'd on the ASA to a public IP address. However the palo alto firewall at the other end has a different peer address (outside int) for the ASA firewall. Is that an issue?
08-13-2019 08:00 AM - edited 08-13-2019 08:06 AM
Hi,
According to the explanation ASA is behind the NAT device.
Topology -:
===========
PA1 ----- PA_NAT ----- ASA
Public IP of PA1 - 172.16.9.163
Public IP of ASA - 172.16.9.160
Public IP of PA_NAT - 172.16.9.171
In PAN you should mention PEER Identity as 172.16.9.160.
Below is the article I referred from PAN KB, hope this helps.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClopCAC
08-14-2019 01:13 AM
Thanks for that. I will check it out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide