IPsec tunnel down with error in ikemgr.log "SA dying from state RES_IKE_SA_INIT_SENT, caller ikev2_abort"

IPsec tunnel down with error in ikemgr.log "SA dying from state RES_IKE_SA_INIT_SENT, caller ikev2_abort"

10599
Created On 07/07/23 13:37 PM - Last Modified 08/01/23 03:31 AM


Symptom


  • Both IPsec phases are down.
  • ikemgr.log (less mp-log ikemgr.log) display error: SA dying from state RES_IKE_SA_INIT_SENT, caller ikev2_abort

Environment


  • Palo Alto Firewalls (Platform/VM series)
  • Supported PAN-OS
  • IPSec Tunnels
  • Ikev2 is used as the tunneling protocol.
  • Local and Peer identification is configured under GUI: Network > Network Profiles > IKE Gateways 
image.png

Cause


The SA INIT fails when there is a misconfiguration in the local/peer identification.

Resolution


One of the following two options will fix the issue.
  1. Validate that the proper Local and/or Peer identification is used.
  2. Remove the Local and Peer identification configuration under GUI: Network > Network Profiles > IKE Gateways.
  3. Once verified, Commit the changes.

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bqJtCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail