Palo Alto Networks Knowledgebase: IPSec Error: IKE Phase-1 Negotiation is Failed as Initiator, Main Mode. Due to Negotiation Timeout

IPSec Error: IKE Phase-1 Negotiation is Failed as Initiator, Main Mode. Due to Negotiation Timeout

7261
Created On 09/25/18 17:36 PM - Last Updated 09/25/18 23:10 PM
VPNs
Resolution

Issue

Phase 1 Negotiation between IPSec Peer and PAN is being identified as "LAND attack". Receiving the following error entry in the Ikemgr.log:

IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout.

 

Details

If the Proxy IDs have been checked for mismatch, try the following:

  1. Configure a filter source peer WAN IP to destination Palo Alto Networks WAN IP
    > debug dataplane packet-diag set filter match source x.x.x.x destination y.y.y.y

  2. Turn on the filter.
    > debug dataplane packet-diag set filter on

  3. Initiate a ping in the reverse path. On a remote machine behind the VPN Peer, ping across the VPN tunnel to a host behind the PAN Firewall.
    From a host on the remote peer network try to ping a host on the local network behind the PAN Firewall (w.w.w.w)
    c:\> ping w.w.w.w

    This should cause the tunnel to be created, and initiate a new Phase1 IPSec negotiation.

  4. Run the following command a couple of times:
    > show counter global filter delta yes packet-filter yes

 

Look for drops in the output. For example:

Global counters:

Elapsed time since last sampling: 1.481 seconds

name                      value  rate  severity  category  aspect    description

-----------------------------------------------------------------------------------------

session_allocated         1      0     info      session   resource  Sessions allocated

session_freed             1      0     info      session   resource  Sessions freed

flow_policy_nat_land      1      0     drop      flow      session   Session setup: source NAT IP allocation result in LAND attack

nat_dynamic_port_xlat     1      0     info      nat       resource  The total number of dynamic_ip_port NAT translate called

nat_dynamic_port_release  1      0     info      nat       resource  The total number of dynamic_ip_port NAT release called

-----------------------------------------------------------------------------------------

Total counters shown: 5

-----------------------------------------------------------------------------------------

 

Resolution

In this case, the 'flow_policy_nat_land' global counter is showing a 'drop', indicating a configuration issue causing the traffic to be dropped, causing this "timeout" error.


In the order to resolve the LAND attack, see: Misconfigured Source NAT and LAND attacks

 

owner: vvasilasco



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGbCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language