https://live.paloaltonetworks.com/t5/general-topics/unable-to-connect-ipsec-vpn-tunnel/m-p/521703#M108096 <P>Need assistance to connect a VPN IPSec Tunnel between PA and Cisco 4300 Series. Everything seems to be configured on both sides, but when I check logs on the PA-CLI, it shows this log:</P> <P>&nbsp;</P> <P><SPAN>IPsec-SA request for 150.220.213.178 queued since no phase1 found</SPAN><BR /><SPAN>2022-11-17 10:49:19.353 -0600 [PNTF]: { 1: }: ====&gt; PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE &lt;====</SPAN><BR /><SPAN>====&gt; Initiated SA: 70.248.29.2[500]-150.220.213.178[500] cookie:e70d77589b7877bb:0000000000</SPAN></P> <P>&nbsp;</P> <P><SPAN>Where Do I check for Phase 1? I think it is the IKE Gateways, which it is already configured.&nbsp;</SPAN></P> Fri, 18 Nov 2022 15:42:31 GMT yjimenez 2022-11-18T15:42:31Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-connect-ipsec-vpn-tunnel/m-p/521703#M108096 <P>Need assistance to connect a VPN IPSec Tunnel between PA and Cisco 4300 Series. Everything seems to be configured on both sides, but when I check logs on the PA-CLI, it shows this log:</P> <P>&nbsp;</P> <P><SPAN>IPsec-SA request for 150.220.213.178 queued since no phase1 found</SPAN><BR /><SPAN>2022-11-17 10:49:19.353 -0600 [PNTF]: { 1: }: ====&gt; PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE &lt;====</SPAN><BR /><SPAN>====&gt; Initiated SA: 70.248.29.2[500]-150.220.213.178[500] cookie:e70d77589b7877bb:0000000000</SPAN></P> <P>&nbsp;</P> <P><SPAN>Where Do I check for Phase 1? I think it is the IKE Gateways, which it is already configured.&nbsp;</SPAN></P> Fri, 18 Nov 2022 15:42:31 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-connect-ipsec-vpn-tunnel/m-p/521703#M108096 yjimenez 2022-11-18T15:42:31Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-connect-ipsec-vpn-tunnel/m-p/521740#M108105 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/255864">@yjimenez</a></P> <P>&nbsp;</P> <P>thanks for posting in LIVEcommunity!</P> <P>&nbsp;</P> <P>To me this looks like standard log when Firewall initiates phase 1 to remove peer. The fact that this says: "<SPAN>queued since no phase1 found</SPAN>" indicates this is a new session rather than configuration is missing. Is there any further log after this entry? If there is a response, then there should be logs indicating what phase 1 parameters were received from remote peer. If there is no response or traffic is blocked in between, this log entry will be repeated as PA tries to establish phase 1.</P> <P>&nbsp;</P> <P>Regarding your question, yes the phase 1 configuration is under: "IKE Gateways".</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> <P>&nbsp;</P> Fri, 18 Nov 2022 21:11:54 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-connect-ipsec-vpn-tunnel/m-p/521740#M108105 PavelK 2022-11-18T21:11:54Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-connect-ipsec-vpn-tunnel/m-p/521743#M108107 <P>Hello,</P> <P>Also Cisco devices dont tend to bring up VPN tunnels unless told to do so, ie sending traffic, etc. I would try to ping something from one side of the tunnel to the other and see what happens.</P> <P>Regards,</P> Fri, 18 Nov 2022 22:01:04 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-connect-ipsec-vpn-tunnel/m-p/521743#M108107 OtakarKlier 2022-11-18T22:01:04Z