IPSec Phase 2 Negotiation fails with "IKE protocol notification message received: received notify type NO_PROPOSAL_CHOSEN" - Authentication mismatch in Phase 2

IPSec Phase 2 Negotiation fails with "IKE protocol notification message received: received notify type NO_PROPOSAL_CHOSEN" - Authentication mismatch in Phase 2

15570
Created On 08/02/22 18:45 PM - Last Modified 08/05/22 20:00 PM


Symptom


  • VPN Tunnel not coming up or went down
  • System Logs showing "IKE protocol notification message received: received notify type NO_PROPOSAL_CHOSEN"
  • System Logs showing "message lacks IDr payload"
  • CLI show command outputs on the two peer firewalls showing different Authentication algorithms (Example: SHA-512 vs. SHA-256)
  • >less mp-log ikemgr.log showing "IKEv2 proposal doesn't match, please check crypto setting on both sides."
  • >less mp-log ikemgr.log showing "<IKEGateway> unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"
  • This Authentication mismatch in Phase 2 (IPSec Crypto Profile) won't be visible in a packet capture (unless pcap is manually decrypted), so it is best to just use CLI commands / checking both sides' configurations manually to identify and resolve this mismatched configuration

Web UI
Navigate to Network > IPSec Crypto Profile > edit IPSec Crypto Profile > edit Authentication
Comparing Phase 2 Authentication Web UI mismatch

CLI
On both VPN peers, run the below command(s) via CLI 
>show vpn tunnel

FW1> show vpn tunnel
TnID Name   Gateway               Local Proxy IP       Ptl:Port   Remote Proxy IP      Ptl:Port   Proposals
1   VPNTunnel10 IKEGatewayTest1   0.0.0.0/0            0:0        0.0.0.0/0            0:0        ESP tunl [DH20][AES192][SHA384] 3600-sec 0-kb

FW2> show vpn tunnel
TnID Name       Gateway          Local Proxy IP       Ptl:Port   Remote Proxy IP      Ptl:Port    Proposals
1   VPNTunnel10 IKEGatewayTest1   0.0.0.0/0            0:0        0.0.0.0/0            0:0        ESP tunl [DH20][AES192][SHA512] 3600-sec 0-kb


System Logs
Navigate to Monitor > System Logs
Comparing System Logs for Phase 2 Authentication mismatch

Wireshark
Take a packet capture on both VPN peers and open them in Wireshark side-by-sideComparing Wireshark for Phase 2 Authentication mismatch
Note: This will not appear in Wireshark by default. You must have dump-level ikemgr logs from both VPN peers to decrypt the packets in Wireshark. This can be done using the steps here

ikemgr.log
Run the below command via CLI on both peers

>less mp-log ikemgr.log

2022-06-27 12:10:41 [ERR ]:  Proposal Unmatched.!
2022-06-27 12:10:41 [PWRN]: [IKEGatewayTest1:360] IKEv2 proposal doesn't match, please check crypto setting on both sides.
2022-06-27 12:10:41 [PERR]: no proposal chosen.
2022-06-27 12:11:40 [PWRN]: [IKEGatewayTest1:354] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.

Environment


  • PAN-OS
  • Palo Alto Networks firewall configured with IPSec VPN Tunnel

Cause


This issue occurs when the two VPN peers have a mismatch in Authentication algorithm

Resolution


  1. Configure both sides of the VPN to have a matching Authentication algorithm
Comparing Authentication Phase 2 in Web UI matching
(If your VPN peer is a different vendor firewall, perform their equivalent/same Phase 2 Authentication configuration change on their firewall if they are the source of the mismatch)
  1. Perform a Commit
  2. Run the below commands a couple times each on both the VPN peer firewall CLIs to get them to freshly initiate and form:
>clear vpn ike-sa gateway <name>
>clear vpn ipsec-sa tunnel <name>


Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlDICAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language