https://live.paloaltonetworks.com/t5/general-topics/ipsec-phase-1-fails-as-initiator-but-not-as-responder/m-p/5835#M4261 <HTML><HEAD></HEAD><BODY><P>Hello support community,<BR />I'm using a PAN 3020 A/P cluster on the perimeter running 6.0.9.&nbsp; At all of my remote sites I have a cisco ASA that uses IPSEC tunnels to connect back to the main network.&nbsp; The IPSEC tunnel configuration (IKE phase 1, IKE phase 2, and peer IDs) are consistent across my remote sites (best to my knowledge).&nbsp; Out of my 8 IPSEC tunnels, when I try to initiate the tunnel to one site I receive the following in the system logs where X is the remote peer and Y is the local peer: "received unencrypted Notify payload (NO-PROPOSAL-CHOSEN) from IP X.X.X.X[500] to Y.Y.Y.Y[500], ignored."&nbsp; I then get: "IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: Y.Y.Y.Y[500]-72.28.162.32[500] cookie:cbf02ee495115ae1:0000000000000000. Due to timeout.'</P><P></P><P>If the PAN is the responder, the tunnel comes up: "IKE phase-1 negotiation is succeeded as responder, main mode. Established SA: Y.Y.Y.Y[500]-X.X.X.X[20796] cookie:2790c31cdce7deae:05a5f962eee2989b lifetime 86400 Sec."</P><P></P><P>Looking at the interpret-vpn-error-messages.html page, I would think if there was a proposal mismatch in the IKE Crypto profile, it would fail as both initiator and responder. I've verified the isakmp policy on the cisco side matches what's configured in the IKE Crypto policy, and I've verified the firewall is allowing the traffic via security policy.</P><P></P><P>Any ideas why I'm failing as an initiator?</P></BODY></HTML> Wed, 01 Apr 2015 01:08:52 GMT dan731028 2015-04-01T01:08:52Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-phase-1-fails-as-initiator-but-not-as-responder/m-p/5835#M4261 <HTML><HEAD></HEAD><BODY><P>Hello support community,<BR />I'm using a PAN 3020 A/P cluster on the perimeter running 6.0.9.&nbsp; At all of my remote sites I have a cisco ASA that uses IPSEC tunnels to connect back to the main network.&nbsp; The IPSEC tunnel configuration (IKE phase 1, IKE phase 2, and peer IDs) are consistent across my remote sites (best to my knowledge).&nbsp; Out of my 8 IPSEC tunnels, when I try to initiate the tunnel to one site I receive the following in the system logs where X is the remote peer and Y is the local peer: "received unencrypted Notify payload (NO-PROPOSAL-CHOSEN) from IP X.X.X.X[500] to Y.Y.Y.Y[500], ignored."&nbsp; I then get: "IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: Y.Y.Y.Y[500]-72.28.162.32[500] cookie:cbf02ee495115ae1:0000000000000000. Due to timeout.'</P><P></P><P>If the PAN is the responder, the tunnel comes up: "IKE phase-1 negotiation is succeeded as responder, main mode. Established SA: Y.Y.Y.Y[500]-X.X.X.X[20796] cookie:2790c31cdce7deae:05a5f962eee2989b lifetime 86400 Sec."</P><P></P><P>Looking at the interpret-vpn-error-messages.html page, I would think if there was a proposal mismatch in the IKE Crypto profile, it would fail as both initiator and responder. I've verified the isakmp policy on the cisco side matches what's configured in the IKE Crypto policy, and I've verified the firewall is allowing the traffic via security policy.</P><P></P><P>Any ideas why I'm failing as an initiator?</P></BODY></HTML> Wed, 01 Apr 2015 01:08:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-phase-1-fails-as-initiator-but-not-as-responder/m-p/5835#M4261 dan731028 2015-04-01T01:08:52Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-phase-1-fails-as-initiator-but-not-as-responder/m-p/5836#M4262 <HTML><HEAD></HEAD><BODY><P>Hi Dan,</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">IPSec Interoperability Between Palo Alto Firewalls and Cisco ASA </SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P>Please find the below link for the Ipsec VPN configuration :-</P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2579">https://live.paloaltonetworks.com/docs/DOC-2579</A></P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-6791" style="font-size: 10pt; line-height: 1.5em;">https://live.paloaltonetworks.com/docs/DOC-6791</A></P><P></P><P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Kindly let us know if&nbsp; any further support is required.</SPAN></P><P></P><P>Regards</P><P>Satish</P></BODY></HTML> Wed, 01 Apr 2015 05:00:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-phase-1-fails-as-initiator-but-not-as-responder/m-p/5836#M4262 Satish 2015-04-01T05:00:01Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-phase-1-fails-as-initiator-but-not-as-responder/m-p/5837#M4263 <HTML><HEAD></HEAD><BODY><P>Since you know the actual crypto settings are correct, I would suspect one of these:</P><P></P><P>There is some kind of firewall blocking your request as initiator to the ASA interface.&nbsp; But as a responder you match the session created by the ASA so it works.</P><P></P><P>The Cisco configuration has the initiator only command in the configuration so it will not respond.</P></BODY></HTML> Wed, 01 Apr 2015 10:14:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-phase-1-fails-as-initiator-but-not-as-responder/m-p/5837#M4263 pulukas 2015-04-01T10:14:27Z