topic Re: IKE SA negotiation is started as initiator, non-rekey in General Topics

IKE SA negotiation is started as initiator, non-rekey

Lukaszm1 — Wed, 12 May 2021 07:36:21 GMT

Hello :),

I have a problem with VPN from PA-220 to Azure. The logs show this information : "IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA "

Every change I made it always is this same error. Is there any way to resolve this issue ?

Thanks in advance 🙂

Re: IKE SA negotiation is started as initiator, non-rekey

aleksandar.astardzhiev — Wed, 12 May 2021 08:20:04 GMT

Hi @Lukaszm1 ,

The log you have shared doesn't contain any error. It indicates that FW is trying to negotiate Phase1. The key point here is that FW is starting the negotiation ("as initiator"), due to the nature of the IPsec the initiator will not log the real reason why negotiation is failing.

You can try to enable passive mode under the IKE Gateway advance options - this will force the firewall to act only as responder and waits for the Azure to trigger negotiation. That way you should see more "detailed" log what could be the reason for the unsuccessful negotiation. Note that in thi case you need to find a way to tell Azure to start first - either by sending traffic from azure to on-prem network or by any "azure troubleshooting commands".

Re: IKE SA negotiation is started as initiator, non-rekey

Lukaszm1 — Wed, 12 May 2021 10:14:30 GMT

Hi ,

Thanks for fast replay , i try this but still no luck, It is also very strange i have this same configuration on different location and it works without any problems.

After change the ike to passive i have this information in logs :

Re: IKE SA negotiation is started as initiator, non-rekey

aleksandar.astardzhiev — Wed, 12 May 2021 13:51:38 GMT

Hi @Lukaszm1 ,

These logs are not related to the VPN negotiation, but rather with configuration commit.

If you have enabled passive mode on the FW and you don't see anything else it probably means Azure is not even trying.

If you don't have a way to force Azure to start negotiation, you can disable again the passive mode and run packet capture for IKE packets on the FW. Under CLI run:
> debug ike pcap on (this will capture any ike packets so if you have other tunnel already running in this fw it will capture them as well)
> debug ike pcap view

Re: IKE SA negotiation is started as initiator, non-rekey

Lukaszm1 — Fri, 14 May 2021 06:18:48 GMT

Hi,

Thanks again, I found what was the problem, I make a mistake in polices and there was a bad ip address on it to the azure ;/ .

No it is working 🙂

Thanks ! 🙂

Re: IKE SA negotiation is started as initiator, non-rekey

bcalderon — Wed, 23 Jun 2021 17:54:52 GMT

Hi @Lukaszm1,

I'm having the very same issue,

What do you mean by "there was a bad IP on it to azure"?

Thanks!

Re: IKE SA negotiation is started as initiator, non-rekey

Lukaszm1 — Thu, 24 Jun 2021 04:42:52 GMT

Hi @bcalderon

Check the configuration on the Policies there should be entry with information that You allow the connection from Your WAN ip address to the other site IP Address.

Re: IKE SA negotiation is started as initiator, non-rekey

bcalderon — Thu, 24 Jun 2021 13:49:05 GMT

Hello @Lukaszm1

So a Security Policy could prevent the establishment of phase 1?
I thought a policy could affect the traffic flow between zones, but once the tunnel was up and running...

Thanks, going to check that

Re: IKE SA negotiation is started as initiator, non-rekey

Lukaszm1 — Fri, 25 Jun 2021 04:58:27 GMT

Hello @bcalderon

In My case it do the job, after add proper ip address it established with no problem. Try to do that and see what happend. On the application add " ike and ipsec" it should be enough to have more granular control.

Re: IKE SA negotiation is started as initiator, non-rekey

bcalderon — Fri, 25 Jun 2021 16:52:59 GMT

Hello @Lukaszm1,

Thanks a lot for your help,

Actually, the issue was solved with a reboot haha,

When doubt, reboot!

Regards.