https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-fail/m-p/18113#M13194 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm having a hard time bringing up a VPN tunnel from my PA-5020 to a Cisco firewall.&nbsp; I'm getting the following:</P><P></P><P>'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 10.13.247.43/32 type IPv4_address protocol 0 port 0, received remote id: 192.168.10.200/32 type IPv4_address protocol 0 port 0.'</P><P></P><P>My search indicates that it's a mismatch with the Cisco firewall ACL.&nbsp; Would I be correct in assuming that their ACL references address protocol 0 port 0 instead of the specific ports we agreed upon during the design?</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 12 Aug 2014 22:27:55 GMT przyboro 2014-08-12T22:27:55Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-fail/m-p/18113#M13194 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm having a hard time bringing up a VPN tunnel from my PA-5020 to a Cisco firewall.&nbsp; I'm getting the following:</P><P></P><P>'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 10.13.247.43/32 type IPv4_address protocol 0 port 0, received remote id: 192.168.10.200/32 type IPv4_address protocol 0 port 0.'</P><P></P><P>My search indicates that it's a mismatch with the Cisco firewall ACL.&nbsp; Would I be correct in assuming that their ACL references address protocol 0 port 0 instead of the specific ports we agreed upon during the design?</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 12 Aug 2014 22:27:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-fail/m-p/18113#M13194 przyboro 2014-08-12T22:27:55Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-fail/m-p/18114#M13195 <HTML><HEAD></HEAD><BODY><P>Hello <SPAN class="GINGER_SOFTWARE_mark"></SPAN><SPAN class="GINGER_SOFTWARE_mark"></SPAN><SPAN class="GINGER_SOFTWARE_mark"></SPAN><SPAN class="GINGER_SOFTWARE_mark"></SPAN><SPAN class="GINGER_SOFTWARE_mark"></SPAN><SPAN class="GINGER_SOFTWARE_mark"><SPAN class="GINGER_SOFTWARE_mark">przyboro</SPAN></SPAN>,</P><P></P><P>Generally speaking, most of the customer refers only local and remote subnet. As per the logs, please ensure that PAN is configured with Local PROXY ID as <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">192.168.10.200/32</SPAN> and remote PROXY ID as <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">10.13.247.43/32</SPAN>. Please find below an example:</P><P></P><P><IMG __jive_id="14900" alt="proxy-ID.JPG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14900_proxy-ID.JPG" style="height: auto;" /></P><P></P><P>Notes: If you have specified any port and protocol in Cisco ACL, then only, it is required to add on PAN firewall.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 12 Aug 2014 22:40:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-fail/m-p/18114#M13195 HULK 2014-08-12T22:40:23Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-fail/m-p/18115#M13196 <HTML><HEAD></HEAD><BODY><P>Thank you for this information.&nbsp; I will be testing this out shortly.</P></BODY></HTML> Wed, 13 Aug 2014 19:34:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-fail/m-p/18115#M13196 przyboro 2014-08-13T19:34:53Z https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-fail/m-p/18116#M13197 <HTML><HEAD></HEAD><BODY><P>Sorry for the late reply.&nbsp; Missing proxy-ID was the problem.&nbsp; Fixed now.&nbsp; Thank you!</P></BODY></HTML> Fri, 22 Aug 2014 18:23:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ike-phase-2-negotiation-fail/m-p/18116#M13197 przyboro 2014-08-22T18:23:22Z