IPSec: Phase 2 negotiation fails with the error "[ERR ]: { 6: }: rcf_get_selectorlist() failed"

• Firewall configured as "responder".
• IPSec Phase-2 fails to come up. 
• The ikemgr debug log (less mp-log ikemgr.log)  display "rcf_get_selectorlist() failed" message.

-0600 [DEBG]: { 6: }: HASH computed:
-0600 [ERR ]: { 6: }: rcf_get_selectorlist() failed 
-0600 [ERR ]: { 6: }: can't find matching selector
-0600 [PERR]: { 6: }: failed to get sainfo.

• Palo Alto Firewalls
• Supported PANOS versions
• IPSec VPNs
• Firewall configured as responder

1. Incomplete Tunnel configuration: Here the command "show vpn flow" does not display the tunnel id.

palo> show vpn flow 
id    name       state   monitor   local-ip     peer-ip      tunnel-i/f  
--      ----     -----   -------   --------     -------      ----------  
n     test1      init      off     x.x.3.4      x.x.3.6     (missing info) >>>> Missing tunnel info. Normally displayed as tunnel.x 

2. Incorrect Proxy-id configured:  The error message is also displayed when the Proxy-id is not properly configured between the local VPN device and the peer VPN device.

1. Verify if the tunnel interface is not showing up/missing using "show vpn flow command.
2. Once verified, delete the phase-2 configuration including the tunnel interface follow by the commit command.
3. Reconfigure all them back follow by the  commit command.
4. For help Refer Define IPSEC Crypto Profiles.

1. Correct the Proxy-id Configuration on both sides
2. Commit the configuration
3. For help on Proxy id, Refer: Why Use a VPN Proxy ID?.