Palo Alto Networks Knowledgebase: IPSec VPN Error: IKE Phase-2 Negotiation is Failed as Initiator, Quick Mode

IPSec VPN Error: IKE Phase-2 Negotiation is Failed as Initiator, Quick Mode

16340
Created On 09/25/18 19:43 PM - Last Updated 09/25/18 23:09 PM
VPNs
Resolution

Issue

A site-to-site IPSec VPN  between a Palo Alto Networks firewall and a firewall from a different vendor is configured.

Phase 1 succeeds, but Phase 2 negotiation fails.

 

A look at the ikemgr.log with the CLI command:

> tail follow yes mp-log ikemgr.log

 

shows the following errors:

( description contains 'IKE protocol notification message received: INVALID-ID-INFORMATION (18).' )

and

IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout

 

 

Cause

The most common phase-2 failure is due to Proxy ID mismatch.

 

Resolution

To resolve Proxy ID mismatch, please try the following:

  1. Check the Proxy ID settings on the Palo Alto Networks firewall and the firewall on the other side.
    Note: Proxy ID for other firewall vendors may be referred to as the Access List or Access Control List (ACL).
  2. Also, check the IPSec crypto to ensure that the proposals match on both sides.

 

See Also

For more info on IPSec, please see the:

IPSec and tunneling - resource list

 

owner: vvasilasco



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language