PCNSE Question #177: Real Exam Question with Answer & Explanation

Question

After Migrating from an ASA firewall to a Palo Alto Networks Firewall, the VPN connection between a remote network and the Palo Alto Networks Firewall is not establishing correctly. The following entry is appearing in the logs: Pfs group mismatched: my:0 peer:2 Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message?

Options

• AUpdate- the IPSec Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
• BUpdate the IKE Crypto profile for the Vendor IKE gateway from no pfs to group2.
• CUpdate the IKE Crypto profile for the Vendor IKE gateway from group2 to no pfs
• DUpdate the IPSec Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.

Explanation

The "Pfs group mismatched" error with "my:0 peer:2" indicates that the Palo Alto Networks firewall is configured with no PFS (group 0) while the peer expects Group 2. To resolve this, the IPSec Crypto profile on the Palo Alto Networks firewall must be updated to use Group 2 for PFS.

Common mistakes.

• A. Changing the IPSec Crypto profile to no-pfs (group 0) when the peer expects Group 2 would perpetuate the mismatch and not resolve the issue.
• B. PFS (Perfect Forward Secrecy) group settings are configured in the IPSec Crypto profile, not the IKE Crypto profile. The IKE Crypto profile handles Phase 1 settings like authentication and encryption algorithms.
• C. Changing the IKE Crypto profile from group2 to no pfs is incorrect because PFS is an IPSec (Phase 2) setting, not an IKE (Phase 1) setting, and it would also incorrectly suggest removing PFS when the peer expects it.

Concept tested. IPsec VPN PFS mismatch troubleshooting

Reference. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpns/set-up-an-ipsec-vpn-tunnel/configure-ipsec-vpn-tunnel.html

No community discussion yet for this question.