VPN Tunnel Down Between Palo Alto Networks Firewall Static IP Address and Cisco VTI on Dynamic IP Address

VPN Tunnel Down Between Palo Alto Networks Firewall Static IP Address and Cisco VTI on Dynamic IP Address

26731
Created On 09/25/18 17:39 PM - Last Updated 02/07/19 23:57 PM


Resolution

Symptom

Site-to-Site IPSec VPN has been configured between a Palo Alto Networks firewall and a Cisco router. However, the VTI VPN tunnel does not come up.

Cause

The issue may be due to IKE Phase1 local and peer identification mismatch.

Resolution

  1. Configure PA Firewall (Network > IKE Gateways > Configure IKE Gateway), as in the example below. Ensure that the Local and Peer Identification match with the Cisco Router.
    1.PNG
    Note: Use Aggressive Exchange Mode and Enable Passive Mode if the other end is a Dynamic IP. Choose a local and peer Identification for IKE phase 1 and match this to the Cisco Router Configuration.

  2. With the Cisco router in VTI mode, configure IKE Gateway (see example below).  Again, ensure that the Local and Peer Identification match with the Palo Alto Networks firewall.
    9.PNG

    With the Cisco router in equivalent Crypto Map mode, configure IKE Gateway (see example below).
    2.PNG

owner: jlunario



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHVCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language