cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6479
Views
0
Helpful
6
Replies

Help with Peer ID. VPN between ASA and palo alto not coming up

faghouri83
Level 1
Level 1

Hi Everyone

 

I'm trying to get a couple of engineers to set up a site to site VPN up for me. I cannot see the actual firewall CLI or GUI. Our side is an ASA and the other side is a Palo alto. The phase 1 and 2 parameters seem to be correct however the tunnel is not coming up. The engineer at the ASA side cannot give me much information however the palo alto engineer is telling me that his firewall is complaining about peer ID:

 

0x104d5420 vendor id payload ignored

ignoring unauthenticated notify payload

 

The problem is, I know what the Peer ip address is but i've never configured a peer ID on an ASA nor is one configured on the device for the problem above. 

 

Can someone help to explain why this is happening please. 

 

Thanks 

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

We do not have much information to go on here. So let me make some general comments and suggestions.

- on ASA you configure peer ID in the crypto map using the command set peer <address>

and, assuming authentication using shared keys, you also need to configure a shared key for that peer address.

- from the information provided I can not tell whether the Palo Alto is complaining about invalid peer ID or is complaining about authentication failure for the configured ID. Perhaps you might get some clarification.

 

Can you ask the engineer on the ASA side to enable debug crypto isakmp 200, attempt some testing, and ask the engineer for any debug output that was produced. Perhaps that might help us understand whether negotiation is being attempted, and if it is failing, then at what point is it failing.

 

HTH

 

Rick

HTH

Rick

shgrover
Cisco Employee
Cisco Employee

Hello

 

please use the document below. It has the whole config for site to site on an ASA. 

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

swj
Cisco Employee
Cisco Employee

Hi, 

 

There is no much information on this, however looking at the explanation possible 2 issues which i can point based on my past experience. 

 

++ If ASA is Behind the NAT device and PAN is configured for Public IP as identity it will cause the failure

++ If pre-shared key is wrong, in my past experience i see this kind of logs. 

 

Lets me know if this helps. 

 

Regards

Swj

 

 

Hi

the local ip is being NAT'd on the ASA to a public IP address. However the palo alto firewall at the other end has a different peer address (outside int) for the ASA firewall. Is that an issue? 

Hi,

According to the explanation ASA is behind the NAT device.

Topology -:
===========

PA1 ----- PA_NAT ----- ASA

Public IP of PA1 - 172.16.9.163

Public IP of ASA - 172.16.9.160

Public IP of PA_NAT - 172.16.9.171
In PAN you should mention PEER Identity as 172.16.9.160.


Below is the article I referred  from PAN KB, hope this helps.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClopCAC

Thanks for that. I will check it out. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: