i would like to check and let me know.I deployed IPSec tunnel with my cisco router and Paloalto FW using VTI.
After configuration , tunnel is up .Ike 2 sa is also ready . IPsec sa is also (Active/Active).Every things ok.
All traffic are pass through the tunnel.
But if i reboot the router or i unplug the wan link and plug again ,Tunnel is down. Tunnel didn't up automatically.I always remove "match certificate map" and put again that to up tunnel.Or i need to manually initiate from Paloalto FW. Do i need to manually initiate after rebooting?
My Paloalto FW is always show tunnel is up (phase 1 Ike and phase ipsec also) even though cisco router's tunnel protocol is down .
crypto pki trustpoint my-ca
crypto pki certificate map MAP
subject-name co myfw
crypto ikev2 proposal proposal
crypto ikev2 policy policy
crypto ikev2 profile profile
description AWS-IKE2 profile
match certificate MAP
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint my-ca
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
crypto ipsec profile IPSecProfile
set transform-set TS
set ikev2-profile profile
ip address 126.96.36.199 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 188.8.131.52
tunnel protection ipsec profile IPSecProfile
description WAN LINK
ip address 184.108.40.206 255.255.255.252
router bgp 65200
neighbor 220.127.116.11 remote-as 55
neighbor 18.104.22.168 description ISP Peer
ip route 10.10.10.0 255.255.255.0 Tunnel0
Solved! Go to Solution.
You should configure Dead Peer Detection (DPD) on both the router and PA firewall. To configure it on the router you can either configure it globally or alternatively under the IKEv2 Profile.
crypto ikev2 profile AWS-profile
dpd 30 5 on-demand
crypto ikev2 dpd 30 5 on-demand
Tune the interval/retry (30 5) as required. Do the same on the PA firewall, make sure the timer intervals match.
this setting is only support in Ikev1 on paloalto firewall.if we us ikev2 we can only use tunnel mornitoring.But it is doesn't work.I use tunnel ip to mornitor but after rebooting router tunnel is still down and i remove cert map and wait a while and then put back this cert map tunnel is up. it is not formal way.
Looks like on Palo Alto Firewalls IKEv2 DPD = Liveness check. This link here shows how to configure
Configure this on the PA, reboot the router and confirm whether this helps. If not please provide the full debugs from the router for analysis.
You may want to check on the PA whether there are still active IKEv2 SA's when the router is down
I forgot to said detail problem. Now i tried to simulate error in my office.I got same error. i create one tunnel to Paloalto firewall and cisco router.
after reboot the router ,tunnel is down and debug message show that [PKI -> IKEv2] Getting of private key FAILED (SESSION ID = 1,SA ID = 1):: Failed to generate auth data: Failed to sign data.
I don't think it is DPD issue because if i remove certificate and import again,Tunnel is up but if i rebooted the router ,tunnel is never comeback up.On site saturation,i have IPSec tunnel to DC 1 and DMVPN tunnel to DC 2.also,i got problem in IPSEC tunnel ,DMVPN tunnel is always up.please see below debug log and help me how to solve.
The error is here:
pr 24 04:18:32.142: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key *Apr 24 04:18:32.142: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key FAILED *Apr 24 04:18:32.144: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Failed to generate auth data: Failed to sign data *Apr 24 04:18:32.144: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed *Apr 24 04:18:32.144: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed *Apr 24 04:18:32.144: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange *Apr 24 04:18:32.145: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
Can you verify both end Certifications?