IPSec VPN Error: IKE Phase-2 Negotiation is Failed as Initiator, Quick Mode

IPSec VPN Error: IKE Phase-2 Negotiation is Failed as Initiator, Quick Mode

320250
Created On 09/25/18 19:43 PM - Last Modified 06/27/24 00:54 AM


Symptom


A site-to-site IPSec VPN  between a Palo Alto Networks firewall and a firewall from a different vendor is configured.

Environment


Phase 1 succeeds, but Phase 2 negotiation fails.



A look at the ikemgr.log with the CLI command:
> tail follow yes mp-log ikemgr.log


shows the following errors:
( description contains 'IKE protocol notification message received: INVALID-ID-INFORMATION (18).' )
and
IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout
 

Cause


The most common phase-2 failure is due to Proxy ID mismatch.

Resolution


To resolve Proxy ID mismatch, please try the following:

  1. Check the Proxy ID settings on the Palo Alto Networks firewall and the firewall on the other side.
    Note: Proxy ID for other firewall vendors may be referred to as the Access List or Access Control List (ACL).
  2. Also, check the IPSec crypto to ensure that the proposals match on both sides.

 

 

Additional Information


For additional insight, please take a look at the Support FAQ hosted by our LIVECommunity team. 
 

For more info on IPSec, please see the:IPSec and tunneling - resource list
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language