Thursday, May 2, 2019

ASA - Palo VPN keeps dropping after 8 hours

New S2S routebased vpn between ASA and Palo Alto FW keeps dropping after 8 hours. Clearing ipsec peer on ASA does no good, i have to disable the ike gateway on the Palo to get things working again.

ASA debug shows this:

"IKEv2 Negotiation aborted due to ERROR: Detected an error notify payload"

Palo debug shows the below:

"2019-05-02 19:48:16.991 +0100 [DEBG]: { 13: }: received notify type INVALID_KE_PAYLOAD

2019-05-02 19:48:16.991 +0100 [DEBG]: { 13: }: ikev2_process_child_notify(0x103ff660, 0xfff085e5b0), notify type INVALID_KE_PAYLOAD

2019-05-02 19:48:16.991 +0100 [PWRN]: { 13: }: 17 is not a child notify type

Obviously something not, but im not sure where to start! Anyone able to advise? this is the first routebased vpn off this poarticular ASA, but the same vpn config on another ASA to my Palo Alto has been stable for days

EDIT: Full Cisco config i applied is below

----------

proposal

----------

crypto ipsec ikev2 ipsec-proposal DEFAULT-PROPOSAL

protocol esp encryption aes-256

protocol esp integrity sha-384 sha-256 sha-1

----------

profile

----------

crypto ipsec profile DEFAULT-PROFILE

set ikev2 ipsec-proposal DEFAULT-PROPOSAL

exit

------------

tunnel int

------------

Interface Tunnel1

no shutdown

nameif TUNNEL

ip address 169.254.44.1 255.255.255.248 standby 169.254.44.6

tunnel destination x.x.x.x

tunnel source interface outside

tunnel protection ipsec profile DEFAULT-PROFILE

tunnel mode ipsec ipv4

--------------

group policy

--------------

group-policy IKEV2-GROUP-POLICY internal

group-policy IKEV2-GROUP-POLICY attributes

vpn-tunnel-protocol ikev2

--------------

tunnel group

--------------

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy IKEV2-GROUP-POLICY

tunnel-group x.x.x.x ipsec-attributes

peer-id-validate nocheck

ikev2 local-authentication pre-shared-key x.x.x.x

ikev2 remote-authentication pre-shared-key x.x.x.x

isakmp keepalive threshold 10 retry 2

--------------

ikev2 policy

--------------

crypto ikev2 policy 10

encryption aes-256

integrity sha256

group 2

prf sha

lifetime seconds 28800



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)