IPSec Error: IKE Phase-1 Negotiation is Failed as Initiator, Main Mode. Due to Negotiation Timeout

by vvasilasco on ‎03-05-2013 01:18 PM - edited on ‎06-08-2017 03:01 AM by (65,029 Views)

Issue

Phase 1 Negotiation between IPSec Peer and PAN is being identified as "LAND attack". Receiving the following error entry in the Ikemgr.log:

IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout.

 

Details

If the Proxy IDs have been checked for mismatch, try the following:

  1. Configure a filter source peer WAN IP to destination Palo Alto Networks WAN IP
    > debug dataplane packet-diag set filter match source x.x.x.x destination y.y.y.y

  2. Turn on the filter.
    > debug dataplane packet-diag set filter on

  3. Initiate a ping in the reverse path. On a remote machine behind the VPN Peer, ping across the VPN tunnel to a host behind the PAN Firewall.
    From a host on the remote peer network try to ping a host on the local network behind the PAN Firewall (w.w.w.w)
    c:\> ping w.w.w.w

    This should cause the tunnel to be created, and initiate a new Phase1 IPSec negotiation.

  4. Run the following command a couple of times:
    > show counter global filter delta yes packet-filter yes

 

Look for drops in the output. For example:

Global counters:

Elapsed time since last sampling: 1.481 seconds

name                      value  rate  severity  category  aspect    description

-----------------------------------------------------------------------------------------

session_allocated         1      0     info      session   resource  Sessions allocated

session_freed             1      0     info      session   resource  Sessions freed

flow_policy_nat_land      1      0     drop      flow      session   Session setup: source NAT IP allocation result in LAND attack

nat_dynamic_port_xlat     1      0     info      nat       resource  The total number of dynamic_ip_port NAT translate called

nat_dynamic_port_release  1      0     info      nat       resource  The total number of dynamic_ip_port NAT release called

-----------------------------------------------------------------------------------------

Total counters shown: 5

-----------------------------------------------------------------------------------------

 

Resolution

In this case, the 'flow_policy_nat_land' global counter is showing a 'drop', indicating a configuration issue causing the traffic to be dropped, causing this "timeout" error.


In the order to resolve the LAND attack, see: Misconfigured Source NAT and LAND attacks

 

owner: vvasilasco

Comments
by ScottWrosch
on ‎09-18-2015 09:43 AM

 And when it is NOT due to a LAND attack?

by
on ‎06-08-2017 02:51 AM

@ScottWrosch - In such case you won't be getting that specific drop in the global counters and further debugging might be required.  Some other drops might give you hints on the issue at hand.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community