Palo Alto Networks Knowledgebase: Site-to-Site IPSec VPN Between Palo Alto Networks Firewall and Cisco Router using VTI Not Passing Traffic

Site-to-Site IPSec VPN Between Palo Alto Networks Firewall and Cisco Router using VTI Not Passing Traffic

23072
Created On 02/07/19 23:56 PM - Last Updated 02/07/19 23:56 PM
VPNs
Resolution

Issue

Site-to-Site IPSec VPN has been configured between Palo Alto Networks firewall and Cisco router using Virtual Tunnel Interface (VTI). However, the IKE Phase 2 traffic is not being passed between the Palo Alto Networks firewall and Cisco router.

In summary, the VPN is down:

  • The Interface Tunnel is Down
  • IKE Phase 1 Up but IKE Phase 2 Down

Cause

The issue may be caused by an IKE Phase 2 mismatch. PFS mismatch.

Resolution

Configure the Palo Alto Networks Firewall and the Cisco router to have the same PFS configuration.

On the Palo Alto Networks firewall, go to Network > IPSec Crypto. Select the crypto profile applied to tunnel as follows and make sure the DH Group values match the ones on the Cisco router.

3.jpg

On the Cisco router, set the PFS to match the settings on the Palo Alto Networks Firewall.

2.jpg

Below is an output on Palo Alto Networks Firewall CLI running tail follow yes ikemgr.log. The first highlighted box shows message for a PFS mismatch. The second highlighted box shows the messages after correcting the PFS mismatch.

Screen Shot 2013-02-26 at 5.23.49 PM.png

On the Palo Alto Networks firewall, run show vpn flow tunnel-id <id-number> to check whether encap and decap packets are incrementing.

2.jpg

On the Cisco router, enter show crypto ipsec sa to check whether encap and decap pcakets are incrementing.

1.jpg

owner: jlunario



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLbCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language