IPSec Error: IKE Phase-1 Negotiation is Failed as Initiator, Main Mode. Due to Negotiation Timeout

Issue

Phase 1 Negotiation between IPSec Peer and PAN is being identified as "LAND attack". Receiving the following error entry in the Ikemgr.log:

IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout.

Details

If the Proxy IDs have been checked for mismatch, try the following:

1. Configure a filter source peer WAN IP to destination Palo Alto Networks WAN IP
   > debug dataplane packet-diag set filter match source x.x.x.x destination y.y.y.y
    
2. Turn on the filter.
   > debug dataplane packet-diag set filter on
    
3. Initiate a ping in the reverse path. On a remote machine behind the VPN Peer, ping across the VPN tunnel to a host behind the PAN Firewall.
   From a host on the remote peer network try to ping a host on the local network behind the PAN Firewall (w.w.w.w)
   c:\> ping w.w.w.w
   
   This should cause the tunnel to be created, and initiate a new Phase1 IPSec negotiation.
    
4. Run the following command a couple of times:
   > show counter global filter delta yes packet-filter yes

Look for drops in the output. For example:

Global counters:

Elapsed time since last sampling: 1.481 seconds

name                      value  rate  severity  category  aspect    description

-----------------------------------------------------------------------------------------

session_allocated         1      0     info      session   resource  Sessions allocated

session_freed             1      0     info      session   resource  Sessions freed

flow_policy_nat_land      1      0     drop      flow      session   Session setup: source NAT IP allocation result in LAND attack

nat_dynamic_port_xlat     1      0     info      nat       resource  The total number of dynamic_ip_port NAT translate called

nat_dynamic_port_release  1      0     info      nat       resource  The total number of dynamic_ip_port NAT release called

-----------------------------------------------------------------------------------------

Total counters shown: 5

-----------------------------------------------------------------------------------------

Resolution

In this case, the 'flow_policy_nat_land' global counter is showing a 'drop', indicating a configuration issue causing the traffic to be dropped, causing this "timeout" error.

In the order to resolve the LAND attack, see: Misconfigured Source NAT and LAND attacks

owner: vvasilasco