https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535393#M1064 <P>I think <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a> suggested to you to switch the responder to be Palo Alto.</P> <P>&nbsp;</P> <H1 class="slds-text-heading_large">How to make Palo Alto Networks firewalls Responder-only in an IPSec tunnel</H1> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>You will have to do some investigations or debugs like after making Palo Alto responder if the error is not clear to enable IKE debug or check for global counter drops or packet captures if the traffic is even reaching the Palo Alto firewall at all or if a security policy on Palo Alto is dropping it:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO</A></P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102</A></P> <P>&nbsp;</P> Wed, 22 Mar 2023 12:00:11 GMT nikoolayy1 2023-03-22T12:00:11Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535303#M1056 <P>Hi..</P> <P>I have IPSec tunnel between Palo alto 820 and Cyberoam firewall. But It's not getting up. Neither Phase 1 nor Phase 2. Even I am not reachable to other end public ip. Suggest me.&nbsp;</P> Wed, 22 Mar 2023 05:33:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535303#M1056 HitendraP 2023-03-22T05:33:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535306#M1057 <P>Initiate vpn from&nbsp;<SPAN>Cyberoam&nbsp;side towards Palo.</SPAN></P> <P><SPAN>Do you see any sessions from Cyberoam&nbsp;public IP in "Monitor &gt; Traffic" or "Monitor &gt; Session Browser" on Palo side?</SPAN></P> <P><SPAN>If yes check "Monitor &gt; System" and use filter below. Do you see any errors that might reveal why tunnel don't come up?</SPAN></P> <P><SPAN>( subtype eq vpn )</SPAN></P> <P>&nbsp;</P> Wed, 22 Mar 2023 05:41:04 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535306#M1057 Raido_Rattameister 2023-03-22T05:41:04Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535315#M1058 <P>Found this error in System log -&nbsp; &nbsp;IKE phase-1 negotiation is failed as initiator, main mode.</P> Wed, 22 Mar 2023 06:33:39 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535315#M1058 HitendraP 2023-03-22T06:33:39Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535316#M1059 <P>This error is not helpful as if Palo is "<SPAN>initiator" then you need to check logs at&nbsp;Cyberoam&nbsp;side.</SPAN></P> <P><SPAN>Only recipient side will know why connection failed. Recipient will not share failure reason with initiator.</SPAN></P> <P><SPAN>If you want to analyze logs from Palo side you need to initiate connection from&nbsp;Cyberoam towards Palo..</SPAN></P> Wed, 22 Mar 2023 06:36:49 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535316#M1059 Raido_Rattameister 2023-03-22T06:36:49Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535339#M1060 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HitendraP_0-1679473675146.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48940i1C8B964C4EF5A89B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="HitendraP_0-1679473675146.png" alt="HitendraP_0-1679473675146.png" /></span></P> <P>Error from Cyberoam firewall</P> Wed, 22 Mar 2023 08:28:18 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535339#M1060 HitendraP 2023-03-22T08:28:18Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535393#M1064 <P>I think <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a> suggested to you to switch the responder to be Palo Alto.</P> <P>&nbsp;</P> <H1 class="slds-text-heading_large">How to make Palo Alto Networks firewalls Responder-only in an IPSec tunnel</H1> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>You will have to do some investigations or debugs like after making Palo Alto responder if the error is not clear to enable IKE debug or check for global counter drops or packet captures if the traffic is even reaching the Palo Alto firewall at all or if a security policy on Palo Alto is dropping it:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO</A></P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102</A></P> <P>&nbsp;</P> Wed, 22 Mar 2023 12:00:11 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535393#M1064 nikoolayy1 2023-03-22T12:00:11Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535397#M1065 <P>Does&nbsp;<SPAN>Cyberoam&nbsp;have 1 or more WAN IPs?</SPAN></P> <P>&nbsp;</P> <P>According to&nbsp;<A href="https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LogMessages.html" target="_blank" rel="noopener">https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LogMessages.html</A>&nbsp;error message&nbsp;<SPAN>17842 shows success (&lt;connectionname&gt;, EST-P1-MM: Response to establishment request from &lt;peeris&gt; peer &lt;peerrequesterip&gt; successful) and error&nbsp;17856 seems to mean that&nbsp;Cyberoam&nbsp;replied but did not get any answer after that (&lt;connectionname&gt;, EST-P1: max number of retransmissions &lt;count&gt; reached STATE_MAIN_I1. No response (or no acceptable response) to first IKE message.).</SPAN></P> <P>&nbsp;</P> <P>So first suspicion is that Palo sends IKE packet to&nbsp;<SPAN>Cyberoam&nbsp;WAN IP1 and&nbsp;Cyberoam&nbsp;replies to Palo from WAN IP2.</SPAN></P> <P><SPAN>If this is the case then you need static route in&nbsp;Cyberoam&nbsp;to send return packets from WAN IP1 to Palo.</SPAN></P> <P>&nbsp;</P> <P><SPAN>If&nbsp;Cyberoam&nbsp; don't have 2 IPs then check that Palo firewall policy permits incoming IPSec traffic from&nbsp;Cyberoam&nbsp;IP and would not drop those packets.</SPAN></P> Wed, 22 Mar 2023 12:26:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535397#M1065 Raido_Rattameister 2023-03-22T12:26:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535530#M1076 <P>Hi;<BR />On Monitor &gt; Traffic, check if you have any deny traffic from/to public IP address of the remote site. <BR />When it's about phase 1 of IPsec, most of the time is about IKE parameters or the traffic is may be denied somewhere</P> Thu, 23 Mar 2023 08:51:10 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-tunnel-not-working/m-p/535530#M1076 LACOUSTICS 2023-03-23T08:51:10Z