Hi Shakti,

Using the IP address is not an option as there is no guarantee of retaining that IP fas its DHCP. In the end i used - crypto isakmp identity hostname.

This worked after leaving the ASA disconnected and getting a new IP from ISP.

Hi

try this,

pr-fw01(config)# crypto isakmp identity ?

configure mode commands/options:
  address   Use the IP address of the interface for the identity
  auto      Identity automatically determined by the connection type: IP
            address for preshared key and Cert DN for Cert based connections
  hostname  Use the hostname of the router for the identity
  key-id    Use the specified key-id for the identity
pr-fw01(config)# crypto isakmp identity k
pr-fw01(config)# crypto isakmp identity key-id ?

configure mode commands/options:
  WORD  key-id string
pr-fw01(config)# crypto isakmp identity key-id "peer_identified"

Andrea

It's been a while for this thread but wanted to give it a shot. 

I have a similar situation but the remote end is a C867VAE with a 3G Sim card. I tried using the hostname as the tunnel identifier but still I see Phase1 mismatch issues from PA end.

I even tried enabling NAT-T on both ends (no crypto ipsec nat-transparency udp-encapsulation). However, the PA sees IKE messages from three different public IP's ( different IP's assigned for NAT'ing through the mobile service provider) and using the hostname hasn't worked for me either. 

Has anyone had luck with this in a similar 3G setup? 

Thanks,

Gihan

hi networkops3,

similar situation, palo alto FW static but ASA getting ip via dhcp from ISP. To be clear, you only configured the crypto isakmp  identity hostname (ASA hostname) and it worked?. What was the  identity on the PA FW side you used?

With host name you need ddns to make Asa change name<->IP whenever it receives new IP from ISP

Or simply use dynamic Ipsec 

MHM

The value you would need to select on the Palo from the remote identification dropdown menu would be FQDN and then you add the ASA hostname in there. You don't have to configure any local identification on the Palo as if none is defined the Palo will use its local IP during the negotiation with the ASA.

Adding the hostname of the ASA to the following field did not work. In fact, PA FW is giving me the error: IKE phase-1 negotiation is failed. Could not find configuration for IKE phase-1 request for peer IP. Still investigating. CORRECTION TO THE PICTURE BELOW: On the ASA side, I configured as crypto isakmp identity the HOSTAME not key-id.

Did you manage to resolve this issue in the end?

SOLUTION: It does NOT work with IKEV1, with IKEV2 using the HOSTNAME of the ASA in the FQDN (hostname) field of the Palo Alto FW made the trick and worked. We tried also the KEY-ID in the PA FW field but you must CONVERT the key-id value from the ASA configuration to HEX and use that HEX value in the PA FW field. 

We use the following link for convertion: https://www.rapidtables.com/convert/number/ascii-to-hex.html

I think the issue is ASA use IP as Peer-ID by default for IKEv1

you need to config ASA to use Hostname as Peer-ID 

MHM

In fact, I would not use IKEV1 anymore because it has been deprecated as per the IETF.

just for notice 
sure IKEv2 is more secure 

MHM