topic Phase 2 tunnel is not up in General Topics

Phase 2 tunnel is not up

FarhanKoujalgi — Thu, 05 Aug 2021 14:03:40 GMT

One of my clients configure the site to site tunnel from AWS to Palo alto device the phase 1 is able to up but the second phase is not up it is because we didn't enter the proxy id for or something else i should go for troubleshoot kindly help.

Re: Phase 2 tunnel is not up

SutareMayur — Thu, 05 Aug 2021 15:31:40 GMT

Hi @FarhanKoujalgi

Proxy IDs on palo alto side are required to mentioned whenever peer end is acting as Policy based VPN because Palo Alto always act as Route based vpn. Now in order to check if proxy id is causing the issues, you should check the system logs by filtering VPN logs which will give you more clarity on the issue. If issue with proxy ids, you will see logs like proxy-id mismatch / negotiation failed when processing proxy ID. Proxy ID's need to be identical on both VPN peers for negotiation to be successful.

Apart from that, I would recommend you to verify the Phase 2 IPSEC parameters, routes for the traffic to be routed from tunnel.

Hope it helps!

Re: Phase 2 tunnel is not up

FarhanKoujalgi — Sat, 07 Aug 2021 16:37:44 GMT

Hi@SutareMayur

Thank you for your solution and support the tunnel is up while add proper proxy id.