IPsec tunnel is down due to IKE Phase-1 failures in Azure

IPsec tunnel is down due to IKE Phase-1 failures in Azure

23680
Created On 03/17/20 22:19 PM - Last Modified 04/06/20 17:08 PM


Symptom


  • Log in to the firewall CLI and execute below CLI commands:

> show vpn ike-sa

IKEv1 phase-1 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm             Established     Expiration      V  ST Xt Phase2
--------------  ------------           ------------           ---- ---- ---------             -----------     ----------      -  -- -- ------
1               34.199.101.145         IKE1                   Init Aggr PSK/    /    /                                        v1 3  4  0            

  • Above CLI output shows IKE phase-1 security association is not established

  • Review ikemgr logs to understand and verify the failure events:

ikemgr.log
2020-02-04 10:20:21.000 -0800  [PNTF]: {    1:     }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, AGGRESSIVE MODE <====
                                                      ====> Failed SA: 10.10.11.4[500]-34.199.101.145[500] cookie:7529644a73a7c138:0000000000000000 <==== Due to timeout.
2020-02-04 10:20:21.000 -0800  [INFO]: {    1:     }: ====> PHASE-1 SA DELETED <====
                                                      ====> Deleted SA: 10.10.11.4[500]-34.199.101.145[500] cookie:7529644a73a7c138:0000000000000000 <====
2020-02-04 10:20:37.113 -0800 ikemgr: panike_daemon skipping phase 1

  • Above log snippet shows phase-1 negotiation failed due to timeout. This may not be conclusive but if one has access to logs from peer end, it will help to narrow down further.

  • Verify if permitted IP is configured on firewall interface

  • Ensure ike and ipsec traffic is allowed by security policy

  • Ensure Local and Peer IDENTIFICATION is configured on both ends

  • Check connectivity between the IPsec terminating endpoints i.e. from local interface to peer interface using ping. 

  • If this fails, troubleshoot network connectivity, verify Azure routing and check whether traffic is being allowed by Network Security Group(NSG) associated with interface and subnet. 

  • If ping succeeds, make sure NAT-T is enabled if traffic is NAT’d in the path

  • Finally, resort to PAN-OS troubleshooting steps on debugging ike p1 issues.

Environment


  • Platform: VM-Series Firewall
  • PAN-OS Version: 9.0.3 / -
  • Deployment: Azure

Cause


  • There could be numerous causes for phase-1 negotiation to fail due to timeout, basically if the ike message 1 does not reach the peer or if the peer does the respond to the message or the response is dropped would lead to this scenario

Resolution


  • In this scenario, traffic was blocked by Network Security Group (NSG) on Azure.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP5YCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail