VPN Tunnel formation fails with "IKEv2 SA negotiation is failed likely due to pre-shared key mismatch" - Pre-shared Key mismatch
25754
Created On 08/02/22 20:52 PM - Last Modified 02/21/24 21:43 PM
Symptom
- VPN Tunnel not coming up or went down
- System Logs display the following logs
- "IKEv2 SA negotiation is failed likely due to pre-shared key mismatch"
- "IKE protocol notification message received: received notify type AUTHENTICATION_FAILED"
- "authentication failure"
Web UI
Navigate to Network > IKE Gateway > edit IKE Gateway > type Pre-shared Key
System Logs
Navigate to Monitor > System Logs
Wireshark: The Pre-shared Key is not visible in Wireshark
ikemgr.log: Run the command "less mp-log ikemgr.log" on both peers and look for the following errors
022-06-27 16:41:27.702 -0700 [PWRN]: { 1: }: [500] - [500]:0x55fd12d47780 received notify type AUTHENTICATION_FAILED
2022-06-27 16:41:25.697 -0700 [PERR]: { 1: }: [500] - [500]:0x7fe60c0240a0 authentication failure
2022-06-27 16:41:25.697 -0700 [INFO]: { 1: }: [500] - [500]:0x7fe60c0240a0 authentication result: failure
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- IPSec VPN Tunnel
Cause
This issue occurs when the two VPN peers have a mismatch in Pre-shared Key
Resolution
- Configure both sides of the VPN to have a matching Pre-shared Key.
- Delete the existing pre-shared key on both firewalls.
- Retype the pre-shared key on both firewalls (case sensitive).
- one can type the pre-shared key to a notepad and copy/paste it to WebUI or CLI of both firewalls.
- Perform a Commit
- Run the below commands a couple times each on both the VPN peer firewall CLIs to get them to freshly initiate and form:
>clear vpn ike-sa gateway <name>
>clear vpn ipsec-sa tunnel <name>