topic Re: IPSec VPN not getting any response from peer in General Topics

IPSec VPN not getting any response from peer

christophe.guengant — Wed, 21 May 2025 20:49:07 GMT

Hello,

i'm having a weird problem with an IPSec VPN on my Palo Alto.

This morning tunnel was working fine, but after mistakenly denying ike and ipsec requests on my firewall, the VPN went down. I obviously did a quick rollback and peer IP is now allowed to request IPSec and IKE.

However the VPN won't go up again (other VPN with similar configurations did go UP again).

I can ping the peer ip from my Palo Alto IPSec interface (x.175.253.123).

I also did packet capture and i can see that i receive IKE requests from peer (x.151.254.90) :

The palo alto logs only show my gateway is sending negociation requests but gets no responder state in return :

VPN configuration is similar on both sides, no configuration changes were made on VPN at anytime. But i did check, just in case and everything is configured as i should be on both sides.

I tried every debug command i can find, without any result. It seems the vpn isn't listening anymore. Can someone help me understand why ?

Also, in traffic logs, i can't see IKE or IPSec traffic between both gateways. I can't figure why. Traffic rule exists and is logged at start and end of session.

Re: IPSec VPN not getting any response from peer

JayGolf — Wed, 21 May 2025 21:46:44 GMT

Hi @christophe.guengant ,

I would recommend to clear out the current phase 1 and phase 2 SAs so the tunnel can start fresh. Go into the CLI and enter the following commands to clear the stale SAs:

clear vpn ike-sa gateway <enter gateway name> clear vpn ipsec-sa tunnel <enter tunnel name>

By doing this, you're telling the firewall to renegotiate a brand new connection with the peer.

Re: IPSec VPN not getting any response from peer

reaper — Thu, 22 May 2025 08:04:27 GMT

It might be the vpn tunnel can only be set up in 1 direction (this is usually a symptom of a deeper issue). You can try setting your side to 'passive' mode and have the remote end initiate the connection

this also has the added benefit of providing far more information in your logging since the recipient can see the incoming requests and the 'reply' (or denial) of the proposed negotiation

as to a cause, there could be a negotiation hickup where there's too many pairs etc. if you're able to switch the direction of the negotiation and become the receiver, if there's nothing obvious in the logs you can also go into CLI and enable debugging for IKE and IPSec and see what's happening at a lower level

in troubleshooting ipsec, being the recipient is key 😉

Re: IPSec VPN not getting any response from peer

christophe.guengant — Thu, 22 May 2025 19:29:23 GMT

Hi,

thanks for your help. It seems i had some dead session blocking renegociation of the ike or ipsec.

The "clear vpn" cli commands didn't seem to work, but did have better results one i killed dead ike or opsec sessions from the GUI (Monitor > Session Browser). (It is good to know that in the session browser it is possible to filter on remote gateway ip).

It appears to be a known issue on Palo Alto Firewalls.