Not able to onboard vpn tunnels to Prisma access via cloudblades with a local_auth_failure state on the vpn tunnel.

Not able to onboard vpn tunnels to Prisma access via cloudblades with a local_auth_failure state on the vpn tunnel.

1893
Created On 07/28/23 17:15 PM - Last Modified 05/22/24 19:56 PM


Symptom


  • When on-boarding VPN tunnels to prisma access via cloudblades do not come up 
  • The vpn tunnel state is local_auth_failure

Environment


  • Prisma Access Cloudblades version 3.1.6 and version 4.0.0
  • Prisma SDWAN 

Cause


The VPN tunnel is in a local auth error state when there is a mismatch in ike or ipsec profiles . 
 

Resolution


  1. Untag the site : Remove the prisma_access tag from the site : NO NEED TO REMOVE ANY INTERFACE TAGS .
  2. Let the CB cleanup the SLs and PA side of objects (if any) [Check Panorama and verify] ~20 mins wait time here 
  3. Now to ensure we do not collide with any previous issue use a new prisma_name:<name> tag on this site. 
  4. Now add the prisma_access tag again (Please make sure to delete ECMP AUTO DETECT inside the tag) if its a non ecmp site.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1xbCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail