Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
IPSec Phase1 negotiation fails with "Unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"

IPSec Phase1 negotiation fails with "Unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"

28473
Created On 07/12/21 04:18 AM - Last Modified 07/14/21 05:42 AM


Symptom


     IPSec VPN Phase1 not coming up.
     Palo Alto Firewall is acting as Initiator.
     System logs shows ISAKMP message 1 being sent out from PA Firewall with Initiator Cookie, however, the negotiations fails "Due to timeout".

      System Logs

     Ikemgr.log shows below:
2021-07-08 19:50:07.402 -0700  [INFO]: {    4:     }: test: IKEv2 SA test initiate start.
2021-07-08 19:50:07.402 -0700  [PNTF]: {    4:     }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway test <====
                                                      ====> Initiated SA: 10.129.83.2[500]-10.129.83.221[500] SPI:50962cd283aa42d7:0000000000000000 SN:1034 <====
2021-07-08 19:50:07.456 -0700  [PWRN]: {    4:     }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe95527e480 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2021-07-08 19:50:12.052 -0700  [PWRN]: {    4:     }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe9552e9770 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2021-07-08 19:50:22.052 -0700  [PWRN]: {    4:     }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe9552e9770 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2021-07-08 19:50:42.052 -0700  [PWRN]: {    4:     }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe95527e480 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2021-07-08 19:51:22.052 -0700  [PWRN]: {    4:     }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe9552e9770 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.


 


Environment


  • Palo Alto Firewall.
  • Any PAN-OS.
  • IPSec VPN.
  • Phase-1.


Cause


This happens, when there is a configuration mismatch in IKE version on Local and Peer Devices.
 


Resolution


Verify the IKE Version configuration (under Network > Network Profiles > IKE Gateway) on the Palo Alto Firewall (initiator) and match it with the peer device's config or you can check the IKE Version on the peer device to match it with the Local.

IKE Gateway


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMIvCAM&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language