Proxy ID Limitation Error

Proxy ID Limitation Error

53842
Created On 09/25/18 19:43 PM - Last Modified 06/09/23 08:50 AM


Resolution


Issue

The following error display after commit:
Commit error: Tunnel interface tunnel.x multiple binding limitation (10) reached.

 

Cause

There is a limit on the maximum number of Proxy IDs per Phase 2.

 

Resolution

To implement VPNs with more than 10 Proxy IDs, configure another tunnel with the same Phase 1 and second Phase 2.

or

SuperNet the proxy IDs. For example, instead of using 10.1.0.0/16, 10.2.0.0/16, the range can be supernetted to 10.0.0.0/8 to avoid multiple entries.

 

To configure the first VPN:

Go to Network > Interfaces. Create a new tunnel interface. Assign the following parameters:

  • Name tunnel.2
  • Virtual router Select the existing virtual router.
  • ZoneSelect the Layer 3 internal zone from which the traffic will originate.

Go to Network > Network Profiles > IKE Gateways screen to configure the IKE Phase 1 gateway on this screen. Click New and enter:

  • IKE gateway gw-to-siteX, or any name of your choosing.
  • Local IP address  Select the firewall interface closest to the other VPA endpoint. This is the “public” interface of the firewall.
  • Peer IP address Enter the IP address of the “public” interface on the other VPN endpoint.
  • Pre-shared Key Enter a key of your choosing, and remember it so you can enter it in the other firewall’s VPN configuration.

To configure the IKE Phase 2 VPN, go to Network > IPSec Tunnels. Create a new VPN with the following parameters:

  • Name vpn-to-siteX, or any name of your choosing.
  • Tunnel interface Pull down to select tunnel.2
  • IKE gateway Pull down to select the IKE gateway you created in the previous step

Next, build your Proxy IDs. Remember the limit is 10:

 

 

When creating your second IPSec tunnel, you can refer to the same IKE Gateway. Remember to use a different tunnel interface (in this example, tunnel.3):

 

You cannot duplicate the Proxy IDs from the first tunnel. They must have at least one element that's different. You can use different Local Proxies in your list of 10.

 

Note: From PAN-OS 5.0, the Proxy ID limitation has been increased to 250 except on the Palo Alto Networks PA-200, which has a limit of 25 Proxy IDs. Throughput on tunnels with 250 proxy IDs configured is similar to tunnels with only one configured. Each Proxy ID counts towards the platform limit for VPN tunnels.

 

owner: dlorenzen
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clc9CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language