08-21-2019 01:18 PM
Hi,
I am trying to set up a site to site VPN for one of our client with palo alto. However VPN phase 1 is not coming up and when I ran debug I am getting NO_PROPOSAL_CHOOSEN error even though both side are configured poperly
setup is like below
|| HQ site - CiscoASA10.1.1.1===> CiscoASA 200.1.1.1|| ===========================||Client palo alto (202.1.1.1)||
The IP addresses are exmple
someone, please help
09-22-2020 01:54 PM
Were you able to resolve? running into same issue.
Thanks
05-05-2023 02:54 PM - edited 05-05-2023 02:55 PM
I had the same issue.
It turned out that the Palo Alto device was expecting prf sha256 and the ASA defaulted to prf sha. I did not have hands-on access to the PA device, but I was provided their debug log to review and we had a session where I watched the PA device get configured. I didn't see a setting specific to prf on that side as they configured the device but the logs clearly showed that the peer (my Cisco ASA) was offering sha1. It didn't show if it was for the integrity or prf value in the log, however, the only setting on the ASA that offered sha1 (i.e. sha) was prf. Once I change the ASA to prf sha256, the tunnel came up.
The only setting in the
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide