https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/555107#M112756 <P>Hi Team</P> <P>Any help in understanding what could have caused this issue?</P> Thu, 24 Aug 2023 16:37:27 GMT UtkarshKumar 2023-08-24T16:37:27Z https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/552825#M112453 <P>We are running into issues with VPN when we chose not to use PROXY ids between two PA firewalls.</P> <P>We see it works fine when we add the proxy ids, but we shouldn't need to if both of them are Palo Alto, isn't it?</P> <P>We see phase 2 keeps failing and the tunnel would not come up.</P> <P>"IKE phase-2 negotiation failed when processing proxy ID. Cannot find matching phase-2 tunnel for received proxy ID..."</P> <P>We have already tried disabling the gateways, deleting and recreating the gateway as well as the tunnel again&nbsp; - doesn't help either.&nbsp;</P> <P>Made sure there were no stale sessions still existing.</P> <P>We lastly also tried to upgrade to the preferred version&nbsp;<SPAN>10.1.10-h1 - and we still see the same behavior.</SPAN></P> <P><SPAN>Any help or suggestions are appreciated. TIA&nbsp;</SPAN></P> <P><SPAN><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/226122">@Didar_Bajwa</a>&nbsp;</SPAN></P> Mon, 07 Aug 2023 23:39:26 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/552825#M112453 Param_Upadhyay 2023-08-07T23:39:26Z https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/552935#M112466 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/220048">@Param_Upadhyay</a>,</P> <P>You cut out the most important part from a troubleshooting aspect; what does that error say the received local id and received remote id are?&nbsp;</P> Tue, 08 Aug 2023 13:20:57 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/552935#M112466 BPry 2023-08-08T13:20:57Z https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/552965#M112474 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; The only error we see is:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="UtkarshKumar_0-1691514325858.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52601i5CFF8ED2D378AE1B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="UtkarshKumar_0-1691514325858.png" alt="UtkarshKumar_0-1691514325858.png" /></span></P> <P>The strange part is as soon as we put in the Proxy ID on both the PA firewall tunnel comes up correctly with no issues. If we remove the proxy Phase-2 fails and we see Local ID and Remote ID still the same. We have already deleted the IKE gateway and IPSEC tunnel as well completely but still once we try and build the tunnel without proxy Phase-2 fails with same error.<BR /><BR />Customer has also upgraded the software version to&nbsp;<SPAN>10.1.10-h1.</SPAN></P> Tue, 08 Aug 2023 17:10:07 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/552965#M112474 UtkarshKumar 2023-08-08T17:10:07Z https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/553516#M112542 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; If you could please review this and help us here. Thanks</P> Fri, 11 Aug 2023 19:32:32 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/553516#M112542 Param_Upadhyay 2023-08-11T19:32:32Z https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/553654#M112561 <P>Any Help?</P> <P>&nbsp;</P> <P>We have also rebooted a couple of times but still same</P> Mon, 14 Aug 2023 16:39:05 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/553654#M112561 UtkarshKumar 2023-08-14T16:39:05Z https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/555107#M112756 <P>Hi Team</P> <P>Any help in understanding what could have caused this issue?</P> Thu, 24 Aug 2023 16:37:27 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/555107#M112756 UtkarshKumar 2023-08-24T16:37:27Z https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/555435#M112823 <P>Could you show us the ipsec configurations of both sides? Because the screenshot you showed actually means that there are proxy IDs configured and because of that your firewall is not able to find a matching entry. If the tunnel is only built up in the direction from your customer to you, then your proxy IDs can be empty as your firewall will accept any entry (as long there is only one. If there are more then you will have issues as the tunnel changes over and over).</P> Sun, 27 Aug 2023 07:08:08 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/555435#M112823 Remo 2023-08-27T07:08:08Z https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/555603#M112851 <P>Does the P2 makes match in both FW? Can I see your configuration in both sides?&nbsp;</P> Tue, 29 Aug 2023 02:14:06 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-without-using-proxy-ids-on-ipsec-tunnel/m-p/555603#M112851 CesarSanchez 2023-08-29T02:14:06Z