IPSec VPN Error: IKE Phase-2 Negotiation is Failed as Initiator, Quick Mode
327116
Created On 09/25/18 19:43 PM - Last Modified 06/27/24 00:54 AM
Symptom
A site-to-site IPSec VPN between a Palo Alto Networks firewall and a firewall from a different vendor is configured.
Environment
Phase 1 succeeds, but Phase 2 negotiation fails.
A look at the ikemgr.log with the CLI command:
> tail follow yes mp-log ikemgr.log
shows the following errors:
( description contains 'IKE protocol notification message received: INVALID-ID-INFORMATION (18).' )
and
IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout
Cause
The most common phase-2 failure is due to Proxy ID mismatch.
Resolution
Additional Information
For additional insight, please take a look at the Support FAQ hosted by our LIVECommunity team.
For more info on IPSec, please see the:IPSec and tunneling - resource list