Site-to-Site IPSec VPN Between Palo Alto Networks Firewall and Cisco Router using VTI Not Passing Traffic

Site-to-Site IPSec VPN Between Palo Alto Networks Firewall and Cisco Router using VTI Not Passing Traffic

108629
Created On 09/25/18 17:52 PM - Last Modified 06/06/23 08:08 AM


Resolution

Issue

Site-to-Site IPSec VPN has been configured between Palo Alto Networks firewall and Cisco router using Virtual Tunnel Interface (VTI). However, the IKE Phase 2 traffic is not being passed between the Palo Alto Networks firewall and Cisco router.

In summary, the VPN is down:

  • The Interface Tunnel is Down
  • IKE Phase 1 Up but IKE Phase 2 Down

 

Cause

The issue may be caused by an IKE Phase 2 mismatch. PFS mismatch.

 

Resolution

Configure the Palo Alto Networks Firewall and the Cisco router to have the same PFS configuration.

 

On the Palo Alto Networks firewall, go to Network > IPSec Crypto. Select the crypto profile applied to tunnel as follows and make sure the DH Group values match the ones on the Cisco router.

3.jpg

 

On the Cisco router, set the PFS to match the settings on the Palo Alto Networks Firewall.

2.jpg

 

Below is an output on Palo Alto Networks Firewall CLI running tail follow yes ikemgr.log. The first highlighted box shows message for a PFS mismatch. The second highlighted box shows the messages after correcting the PFS mismatch.

Screen Shot 2013-02-26 at 5.23.49 PM.png

 

On the Palo Alto Networks firewall, run show vpn flow tunnel-id <id-number> to check whether encap and decap packets are incrementing.

2.jpg

 

On the Cisco router, enter show crypto ipsec sa to check whether encap and decap pcakets are incrementing.

1.jpg

 

owner: jlunario



 Attachments
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLbCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language