Phase-1 not coming up for the ipsec tunnel between PA-VMs in AWS
29585
Created On 03/18/20 01:52 AM - Last Modified 04/06/20 17:31 PM
Symptom
Unable to establish IPsec tunnel on PA-VM because IKE Phase-1 is down.
- Log in to the firewall CLI and execute below CLI commands:
> show vpn ike-sa
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 34.199.101.145 IKE1 Init Aggr PSK/ / / v1 3 4 0
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
1 34.199.101.145 IKE1 Init Aggr PSK/ / / v1 3 4 0
- Above CLI output shows IKE phase-1 security association is not established
- Review ikemgr logs to understand and verify the failure events:
ikemgr.log
2020-02-04 10:20:21.000 -0800 [PNTF]: { 1: }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, AGGRESSIVE MODE <====
====> Failed SA: 10.10.11.4[500]-34.199.101.145[500] cookie:7529644a73a7c138:0000000000000000 <==== Due to timeout.
2020-02-04 10:20:21.000 -0800 [INFO]: { 1: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 10.10.11.4[500]-34.199.101.145[500] cookie:7529644a73a7c138:0000000000000000 <====
2020-02-04 10:20:37.113 -0800 ikemgr: panike_daemon skipping phase 1
2020-02-04 10:20:21.000 -0800 [PNTF]: { 1: }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, AGGRESSIVE MODE <====
====> Failed SA: 10.10.11.4[500]-34.199.101.145[500] cookie:7529644a73a7c138:0000000000000000 <==== Due to timeout.
2020-02-04 10:20:21.000 -0800 [INFO]: { 1: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 10.10.11.4[500]-34.199.101.145[500] cookie:7529644a73a7c138:0000000000000000 <====
2020-02-04 10:20:37.113 -0800 ikemgr: panike_daemon skipping phase 1
- Above log snippet shows phase-1 negotiation failed due to timeout. This may not be conclusive but if one has access to logs from peer end, it will help to narrow down further.
- Verify if permitted IP is configured on firewall interface
- Ensure ike and ipsec traffic is allowed by security policy
- Ensure Local and Peer IDENTIFICATION is configured on both ends
- Check connectivity between the IPsec terminating endpoints i.e. from local interface to peer interface using ping.
- If this fails, troubleshoot network connectivity, verify AWS routing and check whether traffic is being allowed by Security Group and subnet NACL
- If ping succeeds, make sure NAT-T is enabled if traffic is NAT’d in the path
- Finally, resort to PAN-OS troubleshooting steps on debugging ike p1 issues.
Environment
- Platform: PA-VM-300
- PAN-OS Version: 8.0.4
- Plugin Version: NA
Cause
- There could be numerous causes for phase-1 negotiation to fail due to timeout, basically if the ike message 1 does not reach the peer or if the peer does the respond to the message or the response is dropped would lead to this scenario
Resolution
- In this scenario, traffic was blocked by Security Group on AWS.