IPSec Phase1 negotiation fails with "Unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"
28473
Created On 07/12/21 04:18 AM - Last Modified 07/14/21 05:42 AM
Symptom
IPSec VPN Phase1 not coming up.
Palo Alto Firewall is acting as Initiator.
System logs shows ISAKMP message 1 being sent out from PA Firewall with Initiator Cookie, however, the negotiations fails "Due to timeout".
Ikemgr.log shows below:
2021-07-08 19:50:07.402 -0700 [INFO]: { 4: }: test: IKEv2 SA test initiate start. 2021-07-08 19:50:07.402 -0700 [PNTF]: { 4: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway test <==== ====> Initiated SA: 10.129.83.2[500]-10.129.83.221[500] SPI:50962cd283aa42d7:0000000000000000 SN:1034 <==== 2021-07-08 19:50:07.456 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe95527e480 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings. 2021-07-08 19:50:12.052 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe9552e9770 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings. 2021-07-08 19:50:22.052 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe9552e9770 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings. 2021-07-08 19:50:42.052 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe95527e480 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings. 2021-07-08 19:51:22.052 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe9552e9770 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
Environment
- Palo Alto Firewall.
- Any PAN-OS.
- IPSec VPN.
- Phase-1.
Cause
This happens, when there is a configuration mismatch in IKE version on Local and Peer Devices.
Resolution
Verify the IKE Version configuration (under Network > Network Profiles > IKE Gateway) on the Palo Alto Firewall (initiator) and match it with the peer device's config or you can check the IKE Version on the peer device to match it with the Local.