IPSEC Negotiation failed on phase 2 with Error code 19

IPSEC Negotiation failed on phase 2 with Error code 19

64758
Created On 02/11/21 18:06 PM - Last Modified 08/04/22 22:52 PM


Symptom


IPSEC Tunnel Phase 2 Negotiation failed as an initiator with the error message seen below, 
IKEv2 child SA negotiation is failed as initiator, non-rekey. 
Failed SA: x.y.z.q[500]-m.n.p.r[500] message id:0x0000070E. Error code 19

Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • IPSEC VPN tunnel between Peers.

Cause


Mismatch of Diffie–Hellman (DH) keys causes this issue.

Resolution


  1. IPSEC phase 2 packets are encrypted. The packet captures cannot be reviewed due to this to identify the cause
  2. This causes error code 19 to appear on the system logs and ikemgr logs,
  3. Check the DH group configuration on Ipsec Crypto and IKE Crypto profiles by navigating through
  •     GUI: Network > Network profiles > Ipsec Crypto Profile
  •     GUI: Network > Network profiles > IKE Crypto Profile
  1. Both should have the same DH group and also the other end peer should also have the same DH group's configured.
  2. The issue is resolved once both local and Peer configurations are corrected to match.

Additional Information


IPSEC PHASE 2 NEGOTIATION FAILS WITH "IKEV2 CHILD SA NEGOTIATION IS FAILED RECEIVED KE TYPE %D, EXPECTED %D" - DH GROUP MISMATCH IN PHASE 2
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCrICAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language