Ques - I have configured the Palo Alto Firewall IPSEC VPN connectivity between the same vendor or the different vendor but I am getting scenarios like
1. Phase 1 is UP but Phase 2 is down.
2 Phase 1 and Phase 2 both are down.
3. Both tunnels are UP but still the data is not flowing through the VPN Tunnel.
4. When I am using the certificate, I am not able to make the connectivity of the IPSEC VPN.
Ans. - First, I will ask a couple of questions (or will do the probing) like
1. Is this a old configuration or new configuration?
2. Have you made any changes recently over the firewall?
3. Since when the issue occurs?
4. Is there any changes has been done in the environment which resulted to change in IP?
5. Is it Impacting the Production?
6. Single user or Multiple users are affected due to the issue?
Then, I will check first the System Logs under Monitor >> Logs >> System (Palo Alto Firewall).
I will look for an error regarding the IPSEC VPN which can be different like
1. IKE phase-1 negotiation is failed as initiator, main mode.
2. Received unencrypted notify payload (no proposal chosen).
3. IKE phase-2 negotiation failed when processing SA payload. No suitable proposal found in peer’s SA payload.
4. IKE phase-2 negotiation failed when processing Proxy ID.
5. Commit error: Tunnel interface tunnel.x multiple binding limitation (xx) reached.
Now, As per the System logs error, I will move forward in the right direction.
1. IKE phase-1 negotiation is failed as initiator, main mode - In this case, I will check IKE Crypto configuration which includes DH Group, Authentication, Encryption, Key Life Time of both the Peers and at the same time I will check the routes (C2S & S2C) through GUI and CLI i.e. test routing fib-lookup virtual-router default ip <destination IP>
2. Received unencrypted notify payload (no proposal chosen) - In this case, I will check Proposal parameters (as mentioned in Error) on both Initiator and the Responder side and make sure all the parameters are matching with C2S & S2C flow.
3. IKE phase-2 negotiation failed when processing SA payload. No suitable proposal found in peer’s SA payload - In this case, I will check the configuration of IPSEC Crypto which includes Encryption, Authentication, DH Group, Lifetime and Lifesize in both the Peers and make sure the all the parameters are matching in both the Peers.
If Lifetime is different in both the peers then the least once will be used by the firewall.
4. IKE phase-2 negotiation failed when processing Proxy ID - In this case, I will check the configuration related to Proxy IDs in both the Peers and if one VPN peer is configured with an IP address for a netmask of /32 and the remote VPN peer is configured with the same IP address but with the different netmask of /16, then it will result in failure establishing the VPN tunnel.
I will ask the user to change the IPs or change the subnets
in this case.
No comments:
Post a Comment