IPSEC tunnel between Cloudblade or Next Generation Firewall and Prisma Access Remote Network fails to come up with message "IKE proposal mismatch"

IPSEC tunnel between Cloudblade or Next Generation Firewall and Prisma Access Remote Network fails to come up with message "IKE proposal mismatch"

3816
Created On 02/13/23 06:56 AM - Last Modified 07/29/24 22:01 PM


Symptom


  • IPSec Tunnel between Prisma Access and Prisma SD-WAN or Next Generation Firewall using Cloudblade.
  • IPSec tunnel does not come up.
  • Tunnel status display "IKE proposal mismatch".
  • The configuration for both Prisma SD-WAN or Next Generation Firewall and Prisma Access is set to use matching ciphers.

Environment


  • Prisma Access
  • Cloudblade
  • Strata
  • IPSec Tunnel

Cause


  • Multiple IKE v2 tunnels are using different cipher types than the one Cloudblade is using.
  • Prisma Access does not allow different types of IkeCrypto and IpsecCrypto for the same SPN (Security Processing Node).

Resolution


  • Keep all tunnels in the same SPN with the same cipher as Cloudblade pushed cipher.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGuhCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language