https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/179884#M55773 <P>We have 5 different tunnels.&nbsp; Even doing 2500 shows&nbsp;less than 2hours of logs</P><PRE>tail lines 2500 mp-log ikemgr.log</PRE><P>&nbsp;</P> Tue, 03 Oct 2017 17:05:51 GMT raji_toor 2017-10-03T17:05:51Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/179629#M55713 <P>On Weelkend, one of our tunnels was down for about an hour. I was checking system logs and found these messages repeatedly for that tunnel, even after it is up. Anybody knows what this means and what to look for in logs to find the cause of tunnel failure.</P><P>&nbsp;</P><P>'the packet retransmitted in a short time from x.x.x.x[500]'</P><P>'IKE phase-2 negotiation request received but no phase-1 SA is found. Message sent from IP x.x..x.x[500] to y.y.y.y[500]'</P><P>&nbsp;</P> Mon, 02 Oct 2017 17:40:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/179629#M55713 raji_toor 2017-10-02T17:40:41Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/179753#M55723 <P>Hi,</P><P>&nbsp;</P><P>Can you please post full log output from the CLI:</P><P>&nbsp;</P><PRE>&gt; tail lines 100 mp-log ikemgr.log</PRE><P>&nbsp;</P><P>This guide is quite good if you want to get an additional info:</P><P>&nbsp;</P><P><SPAN><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Open-a-Case-on-IPSec-VPN-Issues/ta-p/102233" target="_blank">https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Open-a-Case-on-IPSec-VPN-Issues/ta-p/102233</A></SPAN><BR />&nbsp;</P> Tue, 03 Oct 2017 08:22:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/179753#M55723 TranceforLife 2017-10-03T08:22:55Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/179884#M55773 <P>We have 5 different tunnels.&nbsp; Even doing 2500 shows&nbsp;less than 2hours of logs</P><PRE>tail lines 2500 mp-log ikemgr.log</PRE><P>&nbsp;</P> Tue, 03 Oct 2017 17:05:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/179884#M55773 raji_toor 2017-10-03T17:05:51Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/179909#M55783 <P>Was this one time issue?</P><P>It it happens every now and then in this case check if DPD settings are same at both sides (either on or off).</P><P>&nbsp;</P><P><A title="https://live.paloaltonetworks.com/t5/Configuration-Articles/Dead-Peer-Detection-and-Tunnel-Monitoring/ta-p/61371" href="https://live.paloaltonetworks.com/t5/Configuration-Articles/Dead-Peer-Detection-and-Tunnel-Monitoring/ta-p/61371" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/Dead-Peer-Detection-and-Tunnel-Monitoring/ta-p/61371</A></P> Tue, 03 Oct 2017 21:56:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/179909#M55783 Raido_Rattameister 2017-10-03T21:56:50Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/180115#M55815 <P>These messages are continous, but it was down this time only and there is no DPD configured on either side.</P><P>&nbsp;</P><P>'the packet retransmitted in a short time from x.x.x.x[500]'</P><P>'IKE phase-2 negotiation request received but no phase-1 SA is found. Message sent from IP x.x..x.x[500] to y.y.y.y[500]'</P> Wed, 04 Oct 2017 20:32:35 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/180115#M55815 raji_toor 2017-10-04T20:32:35Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/180189#M55821 <P>Anything in Monitor &gt; System log about phase 1 take down?</P><P>( subtype eq vpn ) and ( description contains 'phase-1' )</P><P>&nbsp;</P><P>Phase 1 key lifetime values are same?</P><P>&nbsp;</P><P>less mp-log ikemgr.log</P><P>/<SPAN>x.x.x.x[500]</SPAN></P><P>&nbsp;</P><P>/following-searchkeyword - search function to look up logs for this partner</P><P>&nbsp;</P> Thu, 05 Oct 2017 00:34:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/180189#M55821 Raido_Rattameister 2017-10-05T00:34:01Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/180367#M55846 <P>I see these 2 mesages related to phase 1</P><P>&nbsp;</P><P>Deleting a possible stale phase-1 SA. cookie:45d6eddfe123a631:437d84921654er2c</P><P>IKE protocol phase-1 SA delete message sent to peer. cookie:<SPAN>45d6eddfe123a631:437d84921654er2c</SPAN></P><P>&nbsp;</P><P>I don't have control on other end, will have to ask for it.</P> Thu, 05 Oct 2017 19:07:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/180367#M55846 raji_toor 2017-10-05T19:07:32Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/180378#M55849 <P>Unfortunately, without the&nbsp;full log files/messages we can only guess.</P> Thu, 05 Oct 2017 19:34:47 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-messages-and-failure/m-p/180378#M55849 TranceforLife 2017-10-05T19:34:47Z