https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-is-failed-as-initiator-quick-mode/m-p/16132#M11779 <HTML><HEAD></HEAD><BODY><P>To add to Jdelio's response, seems PA is initiator in your output. You should be checking on the responder side. Always the responder side will usually show what is failing. If you do not have access to responder IKE peer, then I would suggest to have remote side be the initiator of the tunnel and then check PA side logs to see what is failing. </P><P></P><P>Most common phase-2 failure is due to proxy-id mismatch. That would be first thing I would check. Also check IPSec crypto to ensure that proposals match on both sides.</P><P></P><P>-Richard</P></BODY></HTML> Fri, 27 Jan 2012 06:39:10 GMT Retired Member 2012-01-27T06:39:10Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-is-failed-as-initiator-quick-mode/m-p/16130#M11777 <HTML><HEAD></HEAD><BODY><P>Could someone clarify this error message?</P><P></P><P>IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA:&nbsp; 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to&nbsp; negotiation timeout</P><P></P><P>Thanks</P></BODY></HTML> Thu, 26 Jan 2012 14:56:57 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-is-failed-as-initiator-quick-mode/m-p/16130#M11777 LCMember1607 2012-01-26T14:56:57Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-is-failed-as-initiator-quick-mode/m-p/16131#M11778 <HTML><HEAD></HEAD><BODY><P>This error means that Phase 2, IKE negotiation is timing out on UDP 500.</P><P>Now, there can be many causes, but here are a couple of things to check.</P><P></P><P>1. Make sure that your UDP timeout is not dropping the connections before they can reply.. increasing your UDP timeout by 30 seconds.</P><P></P><P>2. Make sure that your rules are not blocking your traffic. Check Monitor for dropped traffic.</P><P></P><P>3. Check with your peer, see if they are getting any of the phase 2 communication.</P><P></P><P>Past this, if you are not getting any where,&nbsp; Please open up a support case by logging into support.paloaltonetworks.com or calling in at +1-866-898-9087</P></BODY></HTML> Thu, 26 Jan 2012 23:10:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-is-failed-as-initiator-quick-mode/m-p/16131#M11778 jdelio 2012-01-26T23:10:27Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-is-failed-as-initiator-quick-mode/m-p/16132#M11779 <HTML><HEAD></HEAD><BODY><P>To add to Jdelio's response, seems PA is initiator in your output. You should be checking on the responder side. Always the responder side will usually show what is failing. If you do not have access to responder IKE peer, then I would suggest to have remote side be the initiator of the tunnel and then check PA side logs to see what is failing. </P><P></P><P>Most common phase-2 failure is due to proxy-id mismatch. That would be first thing I would check. Also check IPSec crypto to ensure that proposals match on both sides.</P><P></P><P>-Richard</P></BODY></HTML> Fri, 27 Jan 2012 06:39:10 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-is-failed-as-initiator-quick-mode/m-p/16132#M11779 Retired Member 2012-01-27T06:39:10Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-is-failed-as-initiator-quick-mode/m-p/16133#M11780 <HTML><HEAD></HEAD><BODY><P> Thanks Guys, Proxies it was.</P></BODY></HTML> Fri, 27 Jan 2012 14:40:10 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-is-failed-as-initiator-quick-mode/m-p/16133#M11780 LCMember1607 2012-01-27T14:40:10Z