https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/513338#M106643 <P>hi, is fqdn must be in format&nbsp;<SPAN>Name.Domain.Com or i can put IP address ??&nbsp;</SPAN></P> Tue, 30 Aug 2022 07:02:15 GMT mhm_ameen 2022-08-30T07:02:15Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217511#M62924 <P>Hi,&nbsp;</P><P>&nbsp;</P><P>I have an IPSec tunnel up and running with no issues using a staic IP for the peer in the IKE gateway, but it won't work when&nbsp; I set it to Dynamic and use the FQDN (hostname).</P><P>&nbsp;</P><P>When I ping from the command line it translates to the correct IP, and replies with no issue, but the tunnel will not come up.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Are there some FQDN or DNS settings I need to change or is there a way to verify it works? Or am I putting the FQDN in using an incorrect format? ( name.domain.com )</P><P>&nbsp;</P><P>Thanks.&nbsp;</P> Tue, 12 Jun 2018 13:19:13 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217511#M62924 StephenJennings 2018-06-12T13:19:13Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217528#M62927 <P>Hi Stephen,</P><P>&nbsp;</P><P>Has "local/peer identification" been configured on the peer device with the matching confgiuration?</P><P>&nbsp;</P><P>What error messages do you see in the system logs when attempting to use FQDN?</P><P>&nbsp;</P><P>Thanks,</P><P>Luke.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Jun 2018 13:42:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217528#M62927 LukeBullimore 2018-06-12T13:42:53Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217540#M62930 <P>Hi, thanks for helping.</P><P>&nbsp;</P><P>The other side is configured and working when I use the staic IP, but not when I use FQDN. That's the only change.</P><P>&nbsp;</P><P>And the logs say "ikev2 ike sa negotiation is failed as initiator non-rekey"</P> Tue, 12 Jun 2018 14:23:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217540#M62930 StephenJennings 2018-06-12T14:23:38Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217542#M62931 <P>Hi,</P><P>&nbsp;</P><P>When you say you "use FQDN" please confirm if you you have an FQDN in the "local/peer identifdication"? of the IKE gateway? If yes: local/peer identification will need to be configured on peer end.</P><P>&nbsp;</P><P>If it does not work after configuring this, could you ascertain detailed logs from:</P><P>&nbsp;</P><P>&gt;tail follow yes mp-log ikemgr.log</P><P>&nbsp;</P><P>Thanks,</P><P>Luke.</P><P>&nbsp;</P> Tue, 12 Jun 2018 14:27:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217542#M62931 LukeBullimore 2018-06-12T14:27:15Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217543#M62932 <P>You do not mention it specifically in your question, but take note - only one side of an IPSEC tunnel can be dynamic.</P> Tue, 12 Jun 2018 14:30:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217543#M62932 JoeAndreini 2018-06-12T14:30:53Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217548#M62935 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91132">@StephenJennings</a>,</P><P>I think your issue is what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/52796">@LukeBullimore</a>&nbsp;is getting at. When you configure the initiator or the responder to use FQDN in the peer identification it really doesn't matter what you put here as long as it matches. I can configure the Peer Identification as FQDN with the value 'SEN19' on my responder as long as my initiator has the local identification as FQDN and matches 'SEN19'. If these values don't match this will fail. The FQDN you enter doesn't matter at all, as long as the configured FQDN value matches on either end it doesn't need to resolve to anything or be the actual hostname of the device.&nbsp;</P><P>&nbsp;</P> Tue, 12 Jun 2018 15:23:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217548#M62935 BPry 2018-06-12T15:23:50Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217553#M62939 <P>Hey, thanks.</P><P>&nbsp;</P><P>On the IKE Gateway I've selcted Peer Type Dynamic, and the Peer Identification as FQDN (Houstname) Name.Domain.Com.</P><P>&nbsp;</P><P>Is there somewhere else I need to enter the FQDN on the Palo Alto, or do I need to make a change on the peer device?</P> Tue, 12 Jun 2018 15:46:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217553#M62939 StephenJennings 2018-06-12T15:46:00Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217587#M62942 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91132">@StephenJennings</a>,</P><P>The peer device needs to have it's local identification set as FQDN as Name.Domain.Com.&nbsp;</P> Tue, 12 Jun 2018 18:31:12 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217587#M62942 BPry 2018-06-12T18:31:12Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217589#M62944 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91132">@StephenJennings</a>,</P><P>Essentially how it works is&nbsp;one will have the Local Identification set as FQDN with whatever FQDN value you are setting, then the peer to that would need the&nbsp;<EM>Peer Identification</EM> set as FQDN with whatever FQDN value you setup above. These values&nbsp;<STRONG>must</STRONG> match.&nbsp;</P> Tue, 12 Jun 2018 18:33:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217589#M62944 BPry 2018-06-12T18:33:36Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217672#M62952 <P>Thanks, that was it.</P> Wed, 13 Jun 2018 06:54:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/217672#M62952 StephenJennings 2018-06-13T06:54:41Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/513338#M106643 <P>hi, is fqdn must be in format&nbsp;<SPAN>Name.Domain.Com or i can put IP address ??&nbsp;</SPAN></P> Tue, 30 Aug 2022 07:02:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-works-with-static-peer-but-not-with-dynamic-fqdn/m-p/513338#M106643 mhm_ameen 2022-08-30T07:02:15Z