Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2352
Views
0
Helpful
5
Replies

Issues forming IPSec Phase 2 btw IOS and Palo Alto FW

CarsonDavis56998
Level 1
Level 1

‎10-02-2021 07:07 PM

Hello,

    I am currently having issues forming a tunnel between a Cisco IOS router and a Palo Alto Firewall. I am able to form the IKE Phase 1 tunnel between the two end points , however when it comes to forming the data plane / IPSec tunnel I run into some issues in forming this connection. I have listed the config and debugs below from both devices.

 

Cisco IOS :

crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key cisco123!! address 104.100.40.2
crypto ipsec transform-set IPSec_Phase2 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile PROFILE
set transform-set TSET

 

#debug crypto isakmp sa

*Oct 3 01:58:53.758: ISAKMP-ERROR: (1052):QM node retransmission timeout, deleting IKE SA immediately
*Oct 3 01:58:53.758: ISAKMP-ERROR: (1052):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE
(peer 104.100.40.2)
*Oct 3 01:58:53.768: ISAKMP-ERROR: (1052):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE
(peer 104.100.40.2)
*Oct 3 01:58:54.147: ISAKMP: (1053):No NAT Found for self or peer

#debug crypto ipsec 

Oct 3 02:00:24.955: [] -> [ACL automatic]: message ACL for always up maps
*Oct 3 02:00:24.956: [ACL automatic]: message = ACL for always up maps
*Oct 3 02:00:24.957: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up map

 

Palo Alto Firewall:

 

 

IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 104.100.40.2/32 type IPv4_address protocol 47 port 0, received remote id: 75.25.105.10/32 type IPv4_address protocol 47 port 0.
10/02 19:01:41
IKE phase-2 negotiation is started as responder, quick mode. Initiated SA: 104.100.40.2[500]-75.25.105.10[500] message id:0xC8FD0628.

 

Labels:
0 Helpful
5 Replies 5

CarsonDavis56998
Level 1
Level 1

‎10-02-2021 07:08 PM

Capture.PNG

0 Helpful

Rob Ingram
VIP
VIP
In response to CarsonDavis56998

‎10-03-2021 12:21 AM

Hi @CarsonDavis56998 

You receive the error "cannot find matching phase-2 tunnel for received proxy ID." - can you provide the output of your crypto ACL from the Cisco router and a screenshot from the equivalent from the PA, these should identify the network(s) that should be encrypted and should mirror each other. If they are mis-matched Phase 2 will fail.

0 Helpful

CarsonDavis56998
Level 1
Level 1
In response to Rob Ingram

‎10-03-2021 05:43 AM - edited ‎10-03-2021 05:47 AM

Hello Rob, I am not using crypto maps in my VPN. I am instead using ipsec profiles that is attached to a VTI.

 

Must I use crypto maps to peer with a Palo Alto? 

0 Helpful

Rob Ingram
VIP
VIP
In response to CarsonDavis56998

‎10-03-2021 06:41 AM

@CarsonDavis56998 how is the Palo Alto VPN configured? If the PA is not configured to use a tunnel interface also, you'll get a mismatch and IPSec SA will fail to establish.

0 Helpful

CarsonDavis56998
Level 1
Level 1
In response to Rob Ingram

‎10-03-2021 11:49 AM - edited ‎10-03-2021 12:00 PM

The PA is configured to use a tunnel interface with the same matching subnet as the router. Palo Alto: 10.0.50.1/30 and Cisco Router: 10.0.50.2/30. The tunnel interface on the PA is also apart of a VPN zone that I created that permits all traffic from all zones/sources currently. I have also confirmed that this tunnel interface is in the correct Virtual Router instance.

 

Should I perhaps use a crypto map instead? Or is there perhaps something I am doing wrong?

0 Helpful
Customers Also Viewed These Support Documents