IPsec tunnel between on-prem PA Firewall and Alibaba Cloud does not come up due to phase-1 negotiation failure
6941
Created On 03/17/20 21:06 PM - Last Modified 01/05/23 21:51 PM
Symptom
- IPsec tunnel between on-prem PA Firewall and Alibaba Cloud does not come up due to phase-1 negotiation failure.
- Review System Logs to understand the failure events (GUI: Monitor > Logs > System)
System Logs:
- Notice phase-1 negotiation failure due to no suitable proposal being found in Security Association
Environment
- Palo Alto Firewall connected to Firewall on Alibaba Cloud
- PAN-OS / Plugin Version: Any
- IPSec Tunnel.
Cause
No suitable proposal found in SA payload
Resolution
- By default, Alibaba supports only the following parameter
- Either configure these parameters on the firewall or modify the parameters on Alibaba Cloud under below path: IPSec Connections > Click “Create IPsec connection” > Enable “Advanced Configuration” > Modify the parameters