https://live.paloaltonetworks.com/t5/general-topics/faild-starting-phase1/m-p/2848#M2109 <HTML><HEAD></HEAD><BODY><P>Have you filed this as a bug to the support?</P><P></P><P>I have seen some threads aswell in this forum regarding VPN issues which seems to be fixed when you recreate the VPN settings.</P><P></P><P>One of the issues I think was when the order of where the VPN settings are placed within the running-config file was changed between two releases.</P><P></P><P>Is it possible for you to do a diff between the faulting config and the config which now works? Im thinking of if some naming standards has been changed which wasnt pickedup by the conversation scripts (which I assume exists when you go from one version into another?).</P></BODY></HTML> Wed, 08 May 2013 04:34:22 GMT mikand 2013-05-08T04:34:22Z https://live.paloaltonetworks.com/t5/general-topics/faild-starting-phase1/m-p/2846#M2107 <HTML><HEAD></HEAD><BODY><P>Hi Group I am really ready to pull the hair out of my head.&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>For 3 months or so, I have had a VPN between my PA-200 to a PA-500 at my remote office. All was working fine.</P><P></P><P>Last night I come back into the office to find the VPN down, and not sure why. I am looking at my PA-200 which has exact configuration.</P><P></P><P>I can see via my pcaps that I am attempting to transmit my IPSEC traffic via agressive mode from my PA-200 to my destination PA-500 FW. </P><P></P><P>On my PA-500, I look in the system logs, and am seeing countless of messages "failed starting phase1"</P><P>Ok, I re-did my entire configuration on the PA-500, deleted old config, commit, created new config, and then commit.</P><P>Still getting failed starting phase1 I need to understand WHY is happening. </P><P>I do not have any insight or log to determine why it is failing to start. My PA-200 has dynamic IP, so I know my local PA-200 which be initiating the tunnel.</P><P></P><P>Looking at my traffic logs, and filtering on the public IP of my PA-200, I am not seeing any matching traffic.</P><P></P><P>No changes to my policy, but now, I am starting to open my firewall open in hopes to catch some sort of inbound traffic.</P><P></P><P>I could use some insight on this.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 08 May 2013 01:30:56 GMT https://live.paloaltonetworks.com/t5/general-topics/faild-starting-phase1/m-p/2846#M2107 scantwell 2013-05-08T01:30:56Z https://live.paloaltonetworks.com/t5/general-topics/faild-starting-phase1/m-p/2847#M2108 <HTML><HEAD></HEAD><BODY><P>Well, I have no idea, but because I am playing in a lab, I just deleted all my rules and started over. The VPN tunnel is now back up with a smaller subset the exact rules. This is the 5th time I have seen a perfectly working VPN configuration just stop working and by putting in a different policy, it just magically works. I think there is something to be investigated in this 5.0.2 to 5.0.4 software......</P></BODY></HTML> Wed, 08 May 2013 02:23:05 GMT https://live.paloaltonetworks.com/t5/general-topics/faild-starting-phase1/m-p/2847#M2108 scantwell 2013-05-08T02:23:05Z https://live.paloaltonetworks.com/t5/general-topics/faild-starting-phase1/m-p/2848#M2109 <HTML><HEAD></HEAD><BODY><P>Have you filed this as a bug to the support?</P><P></P><P>I have seen some threads aswell in this forum regarding VPN issues which seems to be fixed when you recreate the VPN settings.</P><P></P><P>One of the issues I think was when the order of where the VPN settings are placed within the running-config file was changed between two releases.</P><P></P><P>Is it possible for you to do a diff between the faulting config and the config which now works? Im thinking of if some naming standards has been changed which wasnt pickedup by the conversation scripts (which I assume exists when you go from one version into another?).</P></BODY></HTML> Wed, 08 May 2013 04:34:22 GMT https://live.paloaltonetworks.com/t5/general-topics/faild-starting-phase1/m-p/2848#M2109 mikand 2013-05-08T04:34:22Z