Palo Alto Networks Knowledgebase: Error configuring Palo Alto Networks firewall VPN with AWS longer resource IDs - Invalid syntax

Error configuring Palo Alto Networks firewall VPN with AWS longer resource IDs - Invalid syntax

2273
Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:04 AM
VPNs
Symptom

Symptoms

When configuring an IPsec VPN between an AWS Virtual Private Gateway and a Palo Alto Networks device, you might get an error. If you are using the longer format resource IDs generated by AWS for Palo Alto Networks as the vendor, you might run into errors while editing the VPN and network settings.

 

This normally is caused by going into the AWS portal, and then going to "VPC > VPN Connections" and then select "Download Configuration".

If the VPN gateway is using the longer format resource IDs, then PAN-OS will not accept some of the generated configuration lines.

An error similar to the following will be reported.

admin@PA-VM# edit network ike crypto-profiles ike-crypto-profiles ike-crypto-vpn-0901877fe35f95b23-0
ike-crypto-vpn-0901877fe35f95b23-0 should be less than or equal to 31 characters
 
Invalid syntax.

Diagnosis

The reason of the invalid syntax is because currently in PAN-OS the network profiles name field accept a max of 31 characters. and the IKE crypto profile name field in the generated configuration contains 34 characters after using the longer instance IDs. (for example ike-crypto-vpn-0901877fe35f95b23-0).

 

Starting June 2018, AWS will switch to use Longer Format Resource IDs for all AWS resources like VPC IDs.



Resolution

To resolve this you need to manually modify the configuration file generated before copy/paste the configuration into a PAN-OS firewall. You should replace all the instance of the ike crypto profile name as the following example:
current value: ike-crypto-vpn-0901877fe35f95b23-0
new value: vpn-0901877fe35f95b23-0

Removing the (ike-crypto-) from the name will make the total number of characters equal to 23. And it will be accepted by PAN-OS.

 

As of 15-Jun-2018, AWS has updated the VPN configuration generator for PAN-OS to shorten the value for ike-crypto-profiles to automatically create a shorter unique name of the format: vpn-0901877fe35f95b23-0

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliRCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language