topic Re: Tracking down source of ike-nego-p1-fail-common log entry in General Topics

Tracking down source of ike-nego-p1-fail-common log entry

BDS_Vince — Wed, 28 Oct 2015 23:11:42 GMT

We have connected several branch offices using PA200 and PA500 with ipsec tunnels to a PA3020 at our corporate office.

The corporate server is registering similare errors twice every 3 seconds. The error:

IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP xxx.xxx.xxx.xxx[52402], ID ipaddr:yyy.yyy.yyy.yyy.

and

IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP xxx.xxx.xxx.xxx[24211], ID ipaddr:yyy.yyy.yyy.yyy.

The only difference is the number in brackets following the peer IP address.

We have a remote site with an IP address of xxx.xxx.xxx.xxx but its tunnels are up and the yyy.yyy.yyy.yyy sddress cannot be found anywhere in the configurations. The yyy.yyy.yyy.yyy IP address cannot be located in the corporate firewall either.

How can I determine where the request iscoming from so I can stop it?

What do the numbers in the brackets following the peer IP address mean?

Re: Tracking down source of ike-nego-p1-fail-common log entry

RFalconer — Thu, 29 Oct 2015 15:53:19 GMT

So you're saying yyy.yyy.yyy.yyy is not a part of your public IP range at your remote office?

Re: Tracking down source of ike-nego-p1-fail-common log entry

BDS_Vince — Thu, 29 Oct 2015 19:00:21 GMT

That is correct. xxx.xxx.xxx.xxx is already connected but we don't know where the request from yyy.yyy.yyy.yyy is coming from.

Re: Tracking down source of ike-nego-p1-fail-common log entry

RFalconer — Thu, 29 Oct 2015 20:46:52 GMT

If you want to know the company that owns the IP address, you can do whois to get more info.

You could also just block it on your internet router.

Re: Tracking down source of ike-nego-p1-fail-common log entry

BDS_Vince — Thu, 29 Oct 2015 20:51:33 GMT

Unfortunately the PA3050 is our internet router......

Your suggestion is that I create a drop/deny rule for the IP address. Does that rule get evaluated before the IPsec connection is attempted?

Re: Tracking down source of ike-nego-p1-fail-common log entry

RFalconer — Thu, 29 Oct 2015 22:14:42 GMT

I don't think an ACL will work for traffic destined to the untrust interface. A PBF policy might work. You can try matching the traffic and setting the policy to discard.

Or your ISP might be able to block on their upstream equipment.

Re: Tracking down source of ike-nego-p1-fail-common log entry

pulukas — Fri, 30 Oct 2015 10:24:44 GMT

This is harmless but annoying to see in the logs.

These messages probably mean that someone has mis-configured a VPN attempt to your address. Likely this is a left over from an old connection you had or the previous user of your ip address.

I would do the ip look and contact the owner of the ip address. then ask for the IT group and get that old VPN removed.