IPsec tunnel between on-prem PA Firewall and Alibaba Cloud does not come up due to phase-1 negotiation failure

IPsec tunnel between on-prem PA Firewall and Alibaba Cloud does not come up due to phase-1 negotiation failure

6941
Created On 03/17/20 21:06 PM - Last Modified 01/05/23 21:51 PM


Symptom


  • IPsec tunnel between on-prem PA Firewall and Alibaba Cloud does not come up due to phase-1 negotiation failure. 

User-added image

  • Review System Logs to understand the failure events (GUI: Monitor > Logs > System)
System Logs:
User-added image
  • Notice phase-1 negotiation failure due to no suitable proposal being found in Security Association
 

Environment


  • Palo Alto Firewall connected to Firewall on Alibaba Cloud
  • PAN-OS / Plugin Version: Any
  • IPSec Tunnel.

Cause


No suitable proposal found in SA payload

Resolution


  1. By default, Alibaba supports only the following parameter
User-added image
  1. Either configure these parameters on the firewall or modify the parameters on Alibaba Cloud under below path: IPSec Connections > Click “Create IPsec connection” > Enable “Advanced Configuration” > Modify the parameters
User-added image
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP4kCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language