How to troubleshoot IPSec VPN Tunnel Down

How to troubleshoot IPSec VPN Tunnel Down

85463
Created On 08/08/22 19:10 PM - Last Modified 10/30/23 21:43 PM


Objective


To resolve mismatches and/or misconfigurations for an IPSec VPN Tunnel

Environment


  • PAN-OS
  • Palo Alto Networks firewall configured with IPSec VPN Tunnel

Procedure


  1. If you see the System Log "<IKEGateway> unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"
  1. Go to Network > IKE Crypto Profile > Encryption and verify the Encryption algorithm for Phase 1 is set to the same as the VPN peer's
Detailed Steps here:  Encryption Phase 1 Mismatch
  1. Go to Network > IKE Crypto Profile > Authentication and verify the Authentication algorithm for Phase 1 is set to the same as the VPN peer's
Detailed Steps here: Authentication Phase 1 Mismatch
  1. Go to Network > IKE Crypto Profile > DH Group and verify the DH Group algorithm for Phase 1 is set to the same as the VPN peer's
Detailed Steps here: DH Group Phase 1 Mismatch
  1. If you see the System Log "received notify type NO_PROPOSAL_CHOSEN" and/or "message lacks IDr payload"
  1. Go to Network > IPSec Crypto Profile > Encryption and verify the Encryption algorithm for Phase 2 is set to the same as the VPN peer's
Detailed Steps here: Encryption Phase 2 Mismatch
  1. Go to Network > IPSec Crypto Profile > Authentication and verify the Authentication algorithm for Phase 2 is set to the same as the VPN peer's
Detailed Steps here: Authentication Phase 2 Mismatch
 
  1. If you see the System Log "IKEv2 child SA negotiation is failed received KE type %d, expected %d"
  1. Go to Network > IPSec Crypto Profile > DH Group and verify the DH Group algorithm for Phase 2 is set to the same as the VPN peer's
Detailed Steps here: DH Group Phase 2 Mismatch
 
  1. If you see the System Log "IKEv2 SA negotiation is failed likely due to pre-shared key mismatch" or "IKE protocol notification message received: received notify type AUTHENTICATION_FAILED"
  1. Go to Network > IKE Gateway > edit IKE Gateway > Pre-shared Key and verify the Pre-shared Key is set to the exact same as the VPN peer's pre-shared key
Detailed Steps here: Pre-shared Key Mismatch
 
  1. If you see the System Log "IKE protocol notification message received: received notify type TS_UNACCEPTABLE" or "IKEv2 child SA negotiation failed when processing traffic selector. cannot find matching IPSec tunnel for received traffic selector"
  1. Go to Network > IPSec Tunnels > edit IPSec Tunnel > Proxy IDs and verify that each Proxy ID entry is an exact mirror (opposite) of the Proxy ID entry on the VPN peer
Note: Proxy IDs are also known as 'Traffic Selectors'

Additional Information


In most cases, the following quick 4-step process can help you identify, diagnose, and troubleshoot/resolve any IPSec VPN Tunnel issue:
  • Navigate to Monitor > System Logs - look for error(s) related to IKE, IPSec, or VPN
  • From the CLI, type > less mp-log ikemgr.log - look for specific error(s) related to the failure
  • Use CLI show commands - look for the error or misconfiguration
  • Navigate to Monitor > Packet Capture - take a pcap filtered by UDP 500 for the two VPN peer IP's, download and open them in Wireshark, and review the UDP 500 packets to see what parameters are being negotiated - identify the mismatch or incorrect configuration from there

Also check HOW TO TROUBLESHOOT IPSEC VPN CONNECTIVITY ISSUES

If your case doesn't match the mentioned cases in this article then refer to Resource List: IPSec Configuring and Troubleshooting or contact our technical support team.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlFxCAI&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language