https://live.paloaltonetworks.com/t5/general-topics/phase-1-up-phase-2-down/m-p/255458#M72482 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>,</P><P>Under the IKE Gateway for the tunnel verify that the Local Identification and the Peer Identification are actually matching (in reverse order) for the selected tunnel.</P><P>The following is an example:</P><P>&nbsp;</P><P>PA-1:</P><P>Local Identification:&nbsp; &nbsp; IP address&nbsp; &nbsp; 10.10.139.230</P><P>Peer Identification&nbsp; &nbsp; FQDN (hostname)&nbsp; &nbsp; TEST01</P><P>&nbsp;</P><P>PA-2:</P><P>Local Identification:&nbsp; &nbsp; FQDN (hostname)&nbsp; &nbsp; TEST01</P><P>Peer Identification:&nbsp; &nbsp; IP address&nbsp; &nbsp;10.10.139.230</P><P>&nbsp;</P><P>What the log is saying is that essentially the peer device is sending the id of 10.175.150.0 as it's Local Identification, and that ID doesn't match any of your IKE Gateway's configured Peer Identification. Meaning that the firewall doesn't have an IKE Gateway configured for the device.&nbsp;</P> Fri, 29 Mar 2019 18:23:45 GMT BPry 2019-03-29T18:23:45Z https://live.paloaltonetworks.com/t5/general-topics/phase-1-up-phase-2-down/m-p/255443#M72480 <P>( description contains 'IKE phase-1 negotiation is failed. Peer\'s ID payload 10.175.150.0 (type ipaddr) does not match a configured IKE gateway.' )</P><P>&nbsp;</P><P>&nbsp;</P><P>and ( description contains 'IKE phase-1 negotiation is failed as responder, main mode. Failed SA: 198.160.191.5[500]-173.182.112.167[500] cookie:5357205146f1b40c:a194d23cbec27a50. Due to timeout.' )</P><P>&nbsp;</P><P>I get above in system logs phase 1 is up but phase 2 not&nbsp;</P> Fri, 29 Mar 2019 16:06:13 GMT https://live.paloaltonetworks.com/t5/general-topics/phase-1-up-phase-2-down/m-p/255443#M72480 MP18 2019-03-29T16:06:13Z https://live.paloaltonetworks.com/t5/general-topics/phase-1-up-phase-2-down/m-p/255458#M72482 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>,</P><P>Under the IKE Gateway for the tunnel verify that the Local Identification and the Peer Identification are actually matching (in reverse order) for the selected tunnel.</P><P>The following is an example:</P><P>&nbsp;</P><P>PA-1:</P><P>Local Identification:&nbsp; &nbsp; IP address&nbsp; &nbsp; 10.10.139.230</P><P>Peer Identification&nbsp; &nbsp; FQDN (hostname)&nbsp; &nbsp; TEST01</P><P>&nbsp;</P><P>PA-2:</P><P>Local Identification:&nbsp; &nbsp; FQDN (hostname)&nbsp; &nbsp; TEST01</P><P>Peer Identification:&nbsp; &nbsp; IP address&nbsp; &nbsp;10.10.139.230</P><P>&nbsp;</P><P>What the log is saying is that essentially the peer device is sending the id of 10.175.150.0 as it's Local Identification, and that ID doesn't match any of your IKE Gateway's configured Peer Identification. Meaning that the firewall doesn't have an IKE Gateway configured for the device.&nbsp;</P> Fri, 29 Mar 2019 18:23:45 GMT https://live.paloaltonetworks.com/t5/general-topics/phase-1-up-phase-2-down/m-p/255458#M72482 BPry 2019-03-29T18:23:45Z https://live.paloaltonetworks.com/t5/general-topics/phase-1-up-phase-2-down/m-p/255486#M72486 <P>Got it.</P><P>&nbsp;</P><P>Many Thanks</P> Fri, 29 Mar 2019 18:57:43 GMT https://live.paloaltonetworks.com/t5/general-topics/phase-1-up-phase-2-down/m-p/255486#M72486 MP18 2019-03-29T18:57:43Z