IPsec tunnel is down due to IKE Phase-1 failures in Azure
Symptom
-
Log in to the firewall CLI and execute below CLI commands:
> show vpn ike-sa
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 34.199.101.145 IKE1 Init Aggr PSK/ / / v1 3 4 0
-
Above CLI output shows IKE phase-1 security association is not established
-
Review ikemgr logs to understand and verify the failure events:
ikemgr.log
2020-02-04 10:20:21.000 -0800 [PNTF]: { 1: }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, AGGRESSIVE MODE <====
====> Failed SA: 10.10.11.4[500]-34.199.101.145[500] cookie:7529644a73a7c138:0000000000000000 <==== Due to timeout.
2020-02-04 10:20:21.000 -0800 [INFO]: { 1: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 10.10.11.4[500]-34.199.101.145[500] cookie:7529644a73a7c138:0000000000000000 <====
2020-02-04 10:20:37.113 -0800 ikemgr: panike_daemon skipping phase 1
-
Above log snippet shows phase-1 negotiation failed due to timeout. This may not be conclusive but if one has access to logs from peer end, it will help to narrow down further.
-
Verify if permitted IP is configured on firewall interface
-
Ensure ike and ipsec traffic is allowed by security policy
-
Ensure Local and Peer IDENTIFICATION is configured on both ends
-
Check connectivity between the IPsec terminating endpoints i.e. from local interface to peer interface using ping.
-
If this fails, troubleshoot network connectivity, verify Azure routing and check whether traffic is being allowed by Network Security Group(NSG) associated with interface and subnet.
-
If ping succeeds, make sure NAT-T is enabled if traffic is NAT’d in the path
-
Finally, resort to PAN-OS troubleshooting steps on debugging ike p1 issues.
Environment
- Platform: VM-Series Firewall
- PAN-OS Version: 9.0.3 / -
- Deployment: Azure
Cause
- There could be numerous causes for phase-1 negotiation to fail due to timeout, basically if the ike message 1 does not reach the peer or if the peer does the respond to the message or the response is dropped would lead to this scenario
Resolution
- In this scenario, traffic was blocked by Network Security Group (NSG) on Azure.