topic Re: Update to 8.0.6 appears to have broken IPSec tunnel connections in General Topics

Update to 8.0.6 appears to have broken IPSec tunnel connections

Andre_Magri — Tue, 08 May 2018 15:18:07 GMT

Since our PA updated we've had a problem with one IPSec Tunnel not routing correctly. It appears to relate to just one Proxy ID but I've checked all and they're exactly the same as the PFSense box we're connecting to. Everything was fine until the update to 8.0.6.

I've followed this KB...

https://live.paloaltonetworks.com/t5/Management-Articles/IPSec-VPN-Error-IKE-Phase-2-Negotiation-is-Failed-as-Initiator/ta-p/60725

..but both ProxyIDs are perfect. The message we're getting is..

IKEv2 child SA negotiation is failed as initiator, non-rekey. Failed SA: (LOCAL IP)[500]-(DEST IP)[500] message id:0x000021F0. Error code 19

If I head into "tail follow yes mp-log ikemgr.log" I get ....

2018-05-08 15:20:26.680 +0100 [PERR]: { 6: }: received Notify payload protocol 0 type TS_UNACCEPTABLE
2018-05-08 15:20:26.680 +0100 [PNTF]: { 6: }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway IKE-Harrogate <====
====> Failed SA: (LOCAL IP)[500]-(REMOTE IP)[500] message id:0x00001B7C parent SN:1450 <==== Error code 19
2018-05-08 15:20:27.793 +0100 [PWRN]: { 6: }: 38 is not a child notify type
2018-05-08 15:20:27.793 +0100 [PERR]: { 6: }: received Notify payload protocol 0 type TS_UNACCEPTABLE
2018-05-08 15:20:27.793 +0100 [PNTF]: { 6: }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway IKE-Harrogate <====
====> Failed SA: (LOCAL IP)[500]-(REMOTE IP)[500] message id:0x00001B7D parent SN:1450 <==== Error code 19
2018-05-08 15:20:27.959 +0100 [PWRN]: { 6: }: 38 is not a child notify type
2018-05-08 15:20:27.959 +0100 [PERR]: { 6: }: received Notify payload protocol 0 type TS_UNACCEPTABLE
2018-05-08 15:20:27.959 +0100 [PNTF]: { 6: }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway IKE-Harrogate <====
====> Failed SA: (LOCAL IP)[500]-(REMOTE IP)[500] message id:0x00001B7E parent SN:1450 <==== Error code 19
2018-05-08 15:20:30.758 +0100 [PWRN]: { 6: }: 38 is not a child notify type

Anyone know what I'm doing wrong here?

Here's the debug logs...

2018-05-08 16:15:05.430 +0100  [DEBG]: ===
2018-05-08 16:15:05.430 +0100  [DEBG]: 76 bytes message received from (DEST IP)[500]
2018-05-08 16:15:05.430 +0100  [DEBG]: {    6:     }: response exch type 36
2018-05-08 16:15:05.430 +0100  [DEBG]: {    6:     }: update response message_id 0x235d
2018-05-08 16:15:05.430 +0100  [DEBG]: {    6:     }: received notify type TS_UNACCEPTABLE
2018-05-08 16:15:05.430 +0100  [DEBG]: {    6:     }: ikev2_process_child_notify(0x14b8230, 0x7f6b037d8c10), notify type TS_UNACCEPTABLE
2018-05-08 16:15:05.430 +0100  [PWRN]: {    6:     }: 38 is not a child notify type
2018-05-08 16:15:05.430 +0100  [PERR]: {    6:     }: received Notify payload protocol 0 type TS_UNACCEPTABLE
2018-05-08 16:15:05.430 +0100  [PNTF]: {    6:     }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway IKE-Harrogate <====
                                                      ====> Failed SA: (LOCAL IP)[500]-(DEST IP)[500] message id:0x0000235D parent SN:1450 <==== Error code 19
2018-05-08 16:15:06.614 +0100  [DEBG]: processing isakmp packet
2018-05-08 16:15:06.614 +0100  [DEBG]: ===

Re: Update to 8.0.6 appears to have broken IPSec tunnel connections

BPry — Tue, 08 May 2018 19:47:23 GMT

@Andre_Magri,

Have you verified within the XML that what's being displayed on the GUI is actually what's being read by the firewall?

Re: Update to 8.0.6 appears to have broken IPSec tunnel connections

JanPou — Tue, 05 May 2020 12:00:43 GMT

Are you saying there could be a significant difference between what's being viewed in the GUI as to whats being read in the XML ?

I am seeing the same behavior on version 9.0.5.

The tunnel seems to run initially, but after a while the PA is unable to initiate new SA's.

Re: Update to 8.0.6 appears to have broken IPSec tunnel connections

BPry — Tue, 05 May 2020 14:33:48 GMT

@JanPou,

Could you open a new discussion with your exact issue and troubleshooting steps that you have done. If your tunnel is coming online at all, it's not the same as referenced in this post.

Re: Update to 8.0.6 appears to have broken IPSec tunnel connections

jkim12 — Tue, 26 May 2020 18:25:54 GMT

had a similar issue ended up being SHA256-CBC was chosen on palo side, added / switched to SHA-256-GCM and it came right up.

Re: Update to 8.0.6 appears to have broken IPSec tunnel connections

AlexandroDelAngel — Thu, 04 Jun 2020 21:22:30 GMT

Hi @jkim12 - Why did you have to add SHA-256-GCM, did you do that in the remote side as well?

Regards!

Re: Update to 8.0.6 appears to have broken IPSec tunnel connections

jkim12 — Thu, 04 Jun 2020 21:30:04 GMT

AES-256 wasn't selectable in the pfsense config they showed me for CBC or GCM so just on the palo side manually selected AES-256-GCM and added AES-256-CBC as secondary ( although not needed) and it came right up.