Phase 1 Negotiation between IPSec Peer and PAN is being identified as "LAND attack". Receiving the following error entry in the Ikemgr.log:
IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: 220.127.116.11-18.104.22.168 message id:0x43D098BB. Due to negotiation timeout.
If the Proxy IDs have been checked for mismatch, try the following:
Configure a filter source peer WAN IP to destination Palo Alto Networks WAN IP > debug dataplane packet-diag set filter match source x.x.x.x destination y.y.y.y
Turn on the filter. > debug dataplane packet-diag set filter on
Initiate a ping in the reverse path. On a remote machine behind the VPN Peer, ping across the VPN tunnel to a host behind the PAN Firewall. From a host on the remote peer network try to ping a host on the local network behind the PAN Firewall (w.w.w.w) c:\> ping w.w.w.w
This should cause the tunnel to be created, and initiate a new Phase1 IPSec negotiation.
Run the following command a couple of times: > show counter global filter delta yes packet-filter yes
Look for drops in the output. For example:
Elapsed time since last sampling: 1.481 seconds
name value rate severity category aspect description