Tunnel Monitoring for VPN Between Palo Alto Networks Firewalls and Cisco ASA is Not Working
Symptom
Environment
- PA-3260
- PAN-OS v.8.1.7
- Cisco ASA
- Tunnel Monitoring
- Multiple Proxy IDs
Cause
There are multiple Proxy-ID pairs on the Palo Alto Networks firewall that are bound to the same tunnel, but we could enable only one tunnel monitor because the configuration only allows one destination IP and, by default, chooses the tunnel interface IP as its source IP.
In multiple Proxy-ID scenarios, there are multiple Phase-2 SAs created, which match each Proxy-ID pairs configured and are bound to the same tunnel. When tunnel monitoring is enabled, the Palo Alto Networks firewall would send the same monitor packets through all the Phase 2 SAs bound to the same tunnel interface.
The ASA enforces strict checks of Proxy-ID and "interesting traffic." Interesting traffic refers to traffic that the Cisco ASA would permit through its SA. The monitor IPs on either ends should be part of the interesting traffic or the actual Proxy-IDs
For the SAs that do not match this monitor packet, the ASA will drop the packet, and since the Palo Alto Networks firewall did not receive a response, the SA would be rekeyed.
Palo Alto Networks devices can only source the monitoring packets from the tunnel interface's IP. Palo Alto Networks devices can monitor on per tunnel basis but not per SA basis.
Resolution
- On the Palo Alto Networks firewall, build a new tunnel interface for every Proxy-ID, so the explicit phase 2 SAs are created and only one SA is bound to one tunnel interface.
- Assign the tunnel interface an IP that belongs to the same subnet as the local subnet mentioned in that Proxy-ID.
- Pick an unused IP from the local subnet and configure it as a /32 IP address on the tunnel interface.
- Repeat for all tunnels.
NOTE:
The remote end, as well as the destination to be monitored, should be part of the peer's local Proxy-ID because the Cisco ASA will not respond to a Palo Alto Networks Proxy-ID message and the tunnel will drop.
If the above procedure is not possible due to the complexity or Proxy-ID combinations, then you should not enable tunnel monitoring.
Additional Information
- The above article is based on the default that if we enable tunnel monitoring for IPSec tunnels with multiple Proxy-IDs, the firewall will send the same source/destination monitor probes through each of them.
- Since PAN-OS 7.0, there is a CLI only configuration command to enable tunnel monitoring for single Proxy-ID:
# set network tunnel ipsec <tunnel_name> tunnel-monitor proxy-id <proxy_id> ...