https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66538#M39227 <P>Does the phase one is comming up? If yes then the issue with proxy ID.</P> <P>Have you opened the udp port 500 and udp 4500 on the AWS?</P> <P>Are you able to ping the public IP address?</P> Wed, 14 Oct 2015 12:21:32 GMT pankaku 2015-10-14T12:21:32Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66521#M39222 <P>Hi All,</P> <P>&nbsp;</P> <P>We have configured IPSec VPN between PAN and AWS.&nbsp;</P> <P>&nbsp;</P> <P>When i iniate the tunnel, IPSec and IKE SA installed successfully as a initiator.</P> <P>then, IKE protocol IPSec SA delete message sent to peer. SPI:0x...</P> <P>After a second, IPSec key deleted. Deleted SA..... please suggest&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 14 Oct 2015 11:02:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66521#M39222 Javith 2015-10-14T11:02:56Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66529#M39224 <P>Soundslike some reachibility test fails. Check if you are dropping something towards AWS peers.</P> <P>&nbsp;</P> Wed, 14 Oct 2015 11:27:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66529#M39224 santonic 2015-10-14T11:27:56Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66538#M39227 <P>Does the phase one is comming up? If yes then the issue with proxy ID.</P> <P>Have you opened the udp port 500 and udp 4500 on the AWS?</P> <P>Are you able to ping the public IP address?</P> Wed, 14 Oct 2015 12:21:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66538#M39227 pankaku 2015-10-14T12:21:32Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66567#M39234 <P>Can you set vpn on Palo into passive mode and initiate vpn from other side?</P> <P>System log on Palo shows pretty exactly at what state vpn fails.</P> Wed, 14 Oct 2015 13:49:07 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66567#M39234 Raido_Rattameister 2015-10-14T13:49:07Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66585#M39239 <P>The only options are Main, Auto, and Agressive. You can play with those. But like <SPAN class="UserName lia-user-name lia-user-rank-L4-Transporter"><A id="link_15" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/20090" target="_self"><SPAN class="">pakumar</SPAN></A></SPAN> pointed out. If its phase 2, it could be proxy id's.</P> <P>&nbsp;</P> <P>Its under Ike Gateway -&gt; Advanced Phase 1 options.</P> Wed, 14 Oct 2015 15:46:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66585#M39239 OtakarKlier 2015-10-14T15:46:03Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66586#M39240 <P>Of course i didnt look very hard, Yes there is a Passive option in the IKE gateway.</P> Wed, 14 Oct 2015 15:52:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66586#M39240 OtakarKlier 2015-10-14T15:52:03Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66624#M39253 <P>According to original post (Quote:"<SPAN>When i iniate the tunnel, IPSec and IKE SA installed successfully as a initiator.</SPAN>") I'd say all parameters are ok and IPSEC is esatblished sucesfully but DPD mechanism kicks in and takes&nbsp;it down.&nbsp;</P> Thu, 15 Oct 2015 07:42:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-issue/m-p/66624#M39253 santonic 2015-10-15T07:42:25Z