IPSEC Negotiation failed on phase 2 with Error code 19
64758
Created On 02/11/21 18:06 PM - Last Modified 08/04/22 22:52 PM
Symptom
IPSEC Tunnel Phase 2 Negotiation failed as an initiator with the error message seen below,
IKEv2 child SA negotiation is failed as initiator, non-rekey.
Failed SA: x.y.z.q[500]-m.n.p.r[500] message id:0x0000070E. Error code 19
Environment
- Palo Alto Firewall.
- PAN-OS 8.1 and above.
- IPSEC VPN tunnel between Peers.
Cause
Mismatch of Diffie–Hellman (DH) keys causes this issue.
Resolution
- IPSEC phase 2 packets are encrypted. The packet captures cannot be reviewed due to this to identify the cause
- This causes error code 19 to appear on the system logs and ikemgr logs,
- Check the DH group configuration on Ipsec Crypto and IKE Crypto profiles by navigating through
- GUI: Network > Network profiles > Ipsec Crypto Profile
- GUI: Network > Network profiles > IKE Crypto Profile
- Both should have the same DH group and also the other end peer should also have the same DH group's configured.
- The issue is resolved once both local and Peer configurations are corrected to match.
Additional Information
IPSEC PHASE 2 NEGOTIATION FAILS WITH "IKEV2 CHILD SA NEGOTIATION IS FAILED RECEIVED KE TYPE %D, EXPECTED %D" - DH GROUP MISMATCH IN PHASE 2