IKE phase-2 negotiation failed when processing proxy ID with Cisco ASA Firewall

IKE phase-2 negotiation failed when processing proxy ID with Cisco ASA Firewall

4445
Created On 11/17/23 18:41 PM - Last Modified 09/27/24 03:29 AM


Symptom


  • IPSEC tunnel configured between NGFW and Cisco ASA
  • Phase 1 and phase 2 of IPSEC tunnel are up
  • Local machine behind PA FW is unable to reach server at remote network behind Cisco ASA tunnel
  • System logs shows phase-2 negotiation failing due to mismatch in proxy id. Following logs are seen in system logs: 
    2023/11/01 17:07:22 info vpn Foresi ike-neg 0 IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: x.y.z.146/32 type IPv4_address protocol 0 port 0, received remote id: m.n.a.16/28 type IPv4_subnet protocol 0 port 0.


Environment


  • NGFW 
  • PAN-OS 9.1
  • IPSEC tunnel between NGFW and Cisco ASA 

Cause


  • Local Ip and remote IP in Proxy IDs are not an exact match.
  • On PaloAlto the proxy Id was configured as IP only, remote,
  • On Cisco ASA FW, proxy IDs were configured as IP/netmask.
  • In this case on Palo Alto Firewall, the proxy ID was configured with, x.y.z.146  and m.n.a.16, whereas in Cisco ASA, proxy ID was configured with x.y.z.146/32 and m.n.a.16/28.
  • Refer: Proxy ID for IPSec VPN.

Resolution


  1. Configure matching proxy ID on both PA FW and Cisco ASA.
  2. On PA FW configure exact matching proxy ID under GUI: Network >IPSEC tunnel >select tunnel >Proxy IDs.
  3. Commit.
  4. Configure the same on Cisco ASA.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhCOCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language