Palo Alto Networks Knowledgebase: Traffic is not flowing across IPSec VPN due to Phase 2 Ciphers

Traffic is not flowing across IPSec VPN due to Phase 2 Ciphers

Created On 02/07/19 23:43 PM - Last Updated 02/07/19 23:44 PM


If your IPSEC VPN tunnel is showing green (up), and phase 1 and phase 2 have completed, but traffic is not flowing. This can be seen inside of Network > IPSec Tunnels.



In order to confirm this is the issue, please run the CLI following command multiple times, once before and once after trying to send data across the VPN tunnel:

> show counter global filter severity drop aspect tunnel category flow

Please look for the following 2 values:

  • flow_tunnel_decap_err
  • flow_tunnel_ipsec_bad_length


If you see those 2 values increasing, then this might indicate an issue with the IPSec Phase 2 tunnel. Some firewalls may  not support newer ciphers (aes-256-gcm, etc) and may require older ciphers for proper functionality.



To resolve this issue, please check with your VPN peer, and verify the ciphers being used. It is possible that the Cipher you are using is not supported by the peer.  Once you have a list of the ciphers supported by the peer, verify the encryption ciphers you have selected by going into Network > Network Profiles > IPSec Crypto, select the profile used for this VPN per and add the supported ciphers. Commit and then test. 

2017-02-23_ipsec p2 crypto.pngIPSec Crypto Profile window showing the supported ciphers.
Note: If the profile is used by other IPSec VPN peers, and works, then we recommend creating a new Crypto Profile for any new ciphers that are needed.


  • Print
  • Copy Link

Choose Language