https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260522#M73852 <P>&nbsp;</P><P>Seems Phase 2 is down and system log shows below logs again and again</P><P>&nbsp;</P><P>and ( description contains 'IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 198.160.x.x[500]-173.182.x.x[500] message id:0xF55F380F. Due to negotiation timeout.' )</P><P>&nbsp;</P><P>i do not have to device 173.182.x.x</P><P>&nbsp;</P><P>&nbsp;</P><P>When i run below command&nbsp; i s</P><P>&nbsp;</P><P>show vpn ike-sa</P><P>IKEv1 phase-1 SAs<BR />GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2</P><P>14 173.182.x.x CoC_13 Resp Main PSK/DH14/A256/SHA1 May.10 10:29:52 May.10 11:29:52 v1 13 2 0</P><P><BR />Show IKEv1 IKE SA: Total 6 gateways found. 5 ike sa found.</P><P><BR />IKEv1 phase-2 SAs<BR />Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt<BR />------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --</P><P>CoC_13 105 CoC-YYC_13:YYC_13 14 Init / / / 00000000 00000000 7A838C53 5 4</P><P><BR />Show IKEv1 phase2 SA: Total 6 gateways found. 9 ike sa found.</P><P>&nbsp;</P><P>Show IKEv2 SA: Total 2 gateways found. 2 ike sa found.</P><P>&nbsp;</P><P>why my PA is responder for Phase 1 and Initator for Phase 2?</P> Fri, 10 May 2019 16:37:52 GMT MP18 2019-05-10T16:37:52Z https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260522#M73852 <P>&nbsp;</P><P>Seems Phase 2 is down and system log shows below logs again and again</P><P>&nbsp;</P><P>and ( description contains 'IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 198.160.x.x[500]-173.182.x.x[500] message id:0xF55F380F. Due to negotiation timeout.' )</P><P>&nbsp;</P><P>i do not have to device 173.182.x.x</P><P>&nbsp;</P><P>&nbsp;</P><P>When i run below command&nbsp; i s</P><P>&nbsp;</P><P>show vpn ike-sa</P><P>IKEv1 phase-1 SAs<BR />GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2</P><P>14 173.182.x.x CoC_13 Resp Main PSK/DH14/A256/SHA1 May.10 10:29:52 May.10 11:29:52 v1 13 2 0</P><P><BR />Show IKEv1 IKE SA: Total 6 gateways found. 5 ike sa found.</P><P><BR />IKEv1 phase-2 SAs<BR />Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt<BR />------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --</P><P>CoC_13 105 CoC-YYC_13:YYC_13 14 Init / / / 00000000 00000000 7A838C53 5 4</P><P><BR />Show IKEv1 phase2 SA: Total 6 gateways found. 9 ike sa found.</P><P>&nbsp;</P><P>Show IKEv2 SA: Total 2 gateways found. 2 ike sa found.</P><P>&nbsp;</P><P>why my PA is responder for Phase 1 and Initator for Phase 2?</P> Fri, 10 May 2019 16:37:52 GMT https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260522#M73852 MP18 2019-05-10T16:37:52Z https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260632#M73879 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;wrote:<BR /><P>why my PA is responder for Phase 1 and Initator for Phase 2?</P><HR /></BLOCKQUOTE><P>Why not? <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P><P>&nbsp;</P><UL><LI>How many proxy IDs do you have configured on that tunnel?</LI><LI>What timeouts do you have configured for phase 1 and 2?</LI></UL><P>&nbsp;</P><P>For example if you have only 1 phase 2 tunnel and a timeout of 8 hours in phase 1 and 1 hour for phase 2. At 2 am the other side establishes a connection so phase 1 and 2 will be setup. At that time your PA is responder for phase 1 and 2. After exchanging some packets there is no longer a connection so phase 2 will time out. For example at 4 am your side wants to connect to the remote network. As phase 2 already timed out a new one needs to be created but phase 1 is still up. --&gt; your PA is responder in phase 1 and initiator of phase 2</P> Sun, 12 May 2019 11:43:12 GMT https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260632#M73879 Remo 2019-05-12T11:43:12Z https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260636#M73883 <P>We have 1 Proxy ID.</P><P>Also Phase 1 and 2 Timers are set to 3600 sec.</P><P>Both Timers are same</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 12 May 2019 16:09:54 GMT https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260636#M73883 MP18 2019-05-12T16:09:54Z https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260639#M73885 <P>What I wrot is also possible in this case as the keys are renewed prior to expiration. So depending on the actual traffic in the tunnel you might end up with different roles for phase 1 and 2.</P> Sun, 12 May 2019 18:54:05 GMT https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260639#M73885 Remo 2019-05-12T18:54:05Z https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260787#M73925 <P>Many Thanks Again</P> Mon, 13 May 2019 16:38:30 GMT https://live.paloaltonetworks.com/t5/general-topics/why-pa-is-responder-for-phase-1-and-initiator-for-phase-2/m-p/260787#M73925 MP18 2019-05-13T16:38:30Z