Issue
Phase 1 Negotiation between IPSec Peer and PAN is being identified as "LAND attack". Receiving the following error entry in the Ikemgr.log:
IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout.
Details
If the Proxy IDs have been checked for mismatch, try the following:
- Configure a filter source peer WAN IP to destination Palo Alto Networks WAN IP
> debug dataplane packet-diag set filter match source x.x.x.x destination y.y.y.y
- Turn on the filter.
> debug dataplane packet-diag set filter on
- Initiate a ping in the reverse path. On a remote machine behind the VPN Peer, ping across the VPN tunnel to a host behind the PAN Firewall.
From a host on the remote peer network try to ping a host on the local network behind the PAN Firewall (w.w.w.w)
c:\> ping w.w.w.w
This should cause the tunnel to be created, and initiate a new Phase1 IPSec negotiation.
- Run the following command a couple of times:
> show counter global filter delta yes packet-filter yes
Look for drops in the output. For example:
Global counters:
Elapsed time since last sampling: 1.481 seconds
name value rate severity category aspect description
-----------------------------------------------------------------------------------------
session_allocated 1 0 info session resource Sessions allocated
session_freed 1 0 info session resource Sessions freed
flow_policy_nat_land 1 0 drop flow session Session setup: source NAT IP allocation result in LAND attack
nat_dynamic_port_xlat 1 0 info nat resource The total number of dynamic_ip_port NAT translate called
nat_dynamic_port_release 1 0 info nat resource The total number of dynamic_ip_port NAT release called
-----------------------------------------------------------------------------------------
Total counters shown: 5
-----------------------------------------------------------------------------------------
Resolution
In this case, the 'flow_policy_nat_land' global counter is showing a 'drop', indicating a configuration issue causing the traffic to be dropped, causing this "timeout" error.
In the order to resolve the LAND attack, see: Misconfigured Source NAT and LAND attacks
owner: vvasilasco