https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10762#M7934 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I configured an IPSec site to site VPN between Palo Alto Firewall and Checkpoint Firewall. </P><P>Everything works perfectly as expected, but I get constant Logs : IKE-Phase 2 negotiation failed when processing proxy ID. cannot find matching phase 2 tunnel for received proxy ID.</P><P></P><P>I have configured the proxy IDs and tunnel seems to work. But still I get the above mentioned log constantly with severity "informatikonal".</P><P></P><P>Any idea what is going wrong??</P><P></P><P>Thanks!</P></BODY></HTML> Wed, 19 Nov 2014 13:05:56 GMT Neo.The.One 2014-11-19T13:05:56Z https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10762#M7934 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I configured an IPSec site to site VPN between Palo Alto Firewall and Checkpoint Firewall. </P><P>Everything works perfectly as expected, but I get constant Logs : IKE-Phase 2 negotiation failed when processing proxy ID. cannot find matching phase 2 tunnel for received proxy ID.</P><P></P><P>I have configured the proxy IDs and tunnel seems to work. But still I get the above mentioned log constantly with severity "informatikonal".</P><P></P><P>Any idea what is going wrong??</P><P></P><P>Thanks!</P></BODY></HTML> Wed, 19 Nov 2014 13:05:56 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10762#M7934 Neo.The.One 2014-11-19T13:05:56Z https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10763#M7935 <HTML><HEAD></HEAD><BODY><P>Hi Amit,</P><P></P><P>Above mentioned log should come in the event of Proxy ID mismatch, which you have already corrected.</P><P></P><P>And in this case firewall should not establish phase-2.&nbsp; </P><P></P><P>Are these older logs or new logs? If its new logs than make sure its for the same tunnel and not any other tunnel? If its for the same tunnel than its a strange behavior.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 19 Nov 2014 14:20:57 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10763#M7935 hshah 2014-11-19T14:20:57Z https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10764#M7936 <HTML><HEAD></HEAD><BODY><P>Hello Amit,</P><P></P><P>If someone tries to send traffic from a different subnet OR to a different subnet, which is not part of your PROXY ID, then the firewall will drop those packets with above mentioned messages.&nbsp; Since PROXY ID will not match for that traffic.</P><P></P><P>You may check <SPAN class="GINGER_SOFTWARE_mark">ike</SPAN>-<SPAN class="GINGER_SOFTWARE_mark">mgr</SPAN> logs to get the source/destination IP of that dropped traffic.</P><P></P><P>&gt; <SPAN class="GINGER_SOFTWARE_mark">less</SPAN> <SPAN class="GINGER_SOFTWARE_mark">mp</SPAN>-log ikemgr.log</P><P>&gt; <SPAN class="GINGER_SOFTWARE_mark">show</SPAN> log system direction equal backward</P><P></P><P>You can either <SPAN class="GINGER_SOFTWARE_mark">user</SPAN> Space-Bar <SPAN class="GINGER_SOFTWARE_mark">to go</SPAN> down the logs or use "shift + g"&nbsp; to go at the bottom of the logs. </P><P></P><P>Hope this helps.</P><P></P><P>Thank you.</P></BODY></HTML> Wed, 19 Nov 2014 16:33:10 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10764#M7936 HULK 2014-11-19T16:33:10Z https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10765#M7937 <HTML><HEAD></HEAD><BODY><P>Hi Guys,</P><P></P><P>thanks for your replies but the problem still persists. The tunnel goes down intermittently in a day. The tunnel seems to work for 80% of time in a day.</P><P></P><P><A href="https://live.paloaltonetworks.com/u1/19490">hshah</A> - The logs above are new logs.</P><P></P><P><A href="https://live.paloaltonetworks.com/u1/19491">HULK</A> - I tried running the command <SPAN lang="DE" style="font-size: 10.0pt; font-family: 'Courier New'; color: #3b3b3b; background: white;"><STRONG style=": ; color: #3366ff;">tail follow yes mp-log ikemgr.log</STRONG>&nbsp; </SPAN><SPAN lang="DE">and following was the output</SPAN></P><P></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Courier New'; color: #1f497d;">====&gt; Initiated SA: IP-ADDRESSES-HERE message id:0x42D6F11F &lt;====</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Courier New'; color: #1f497d;">2014-11-21 11:05:19 [INTERNAL_ERR]: can't find matching selector</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Courier New'; color: #1f497d;">2014-11-21 11:05:19 [PROTO_ERR]: failed to get sainfo.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Courier New'; color: #1f497d;">2014-11-21 11:05:19 [INTERNAL_ERR]: failed to pre-process packet.</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Courier New'; color: #1f497d;">2014-11-21 11:05:21 [PROTO_NOTIFY]: ====&gt; PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) &lt;====</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Courier New'; color: #1f497d;"><BR /></SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Courier New'; color: #1f497d;">Any suggestions as to what can be going wrong? This is strange behavior!</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Courier New'; color: #1f497d;"><BR /></SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Courier New'; color: #1f497d;">Thanks!<BR /></SPAN></P></BODY></HTML> Mon, 24 Nov 2014 10:25:56 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10765#M7937 Neo.The.One 2014-11-24T10:25:56Z https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10766#M7938 <HTML><HEAD></HEAD><BODY><P>Hi Guys</P><P></P><P>Problem was resolved. The problem was missing proxy IDs for external interfaces. Thanks for your help!</P></BODY></HTML> Tue, 25 Nov 2014 11:19:30 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-works-but/m-p/10766#M7938 Neo.The.One 2014-11-25T11:19:30Z