IPv6 IPsec Site -to-Site VPN Phase-I issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPv6 IPsec Site -to-Site VPN Phase-I issue

L1 Bithead

Hi ,

If anyone there who have a solution for this IPv6 IPsec Site -to-Site VPN Phase-I issue, I checked all the Phase-I and II parameters and took help from PAN TAC engineer as well. they don't have an answer for this. I am getting an this error. Your suggestion is highly appreciated!

 

2019-09-23 23:31:43.000 +0530 [PNTF]: { 116: }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <====
====> Failed SA: 2601:df1:e307:30::1[500]-2120:122:8101:250::4[500] cookie:53d92b906f2fdba8:0000000000000000 <==== Due to timeout.
2019-09-23 23:31:43.000 +0530 [INFO]: { 116: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 2601:df1:e307:30::1[500]-2120:122:8101:250::4[500] cookie:53d92b906f2fdba8:0000000000000000 <====
2019-09-23 23:31:44.789 +0530 [PNTF]: { 98: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=9899190a975987a2 b5eacde362c04df8 (size=16).
2019-09-23 23:31:48.046 +0530 [PNTF]: { 99: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=3066d34341202b49 5b10e30a449e5899 (size=16).
2019-09-23 23:31:53.095 +0530 [PNTF]: { 97: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=fd698639b5b52dba 7a7fc58ae8075ad7 (size=16).
2019-09-23 23:31:56.808 +0530 [PNTF]: { 98: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=9899190a975987a2 b5eacde362c04df8 (size=16).
2019-09-23 23:32:02.066 +0530 [PNTF]: { 99: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=3066d34341202b49 5b10e30a449e5899 (size=16).
2019-09-23 23:32:08.722 +0530 [PNTF]: { 98: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=9899190a975987a2 b5eacde362c04df8 (size=16).
2019-09-23 23:32:15.082 +0530 [PNTF]: { 99: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=3066d34341202b49 5b10e30a449e5899 (size=16).
2019-09-23 23:32:15.115 +0530 [PNTF]: { 97: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=fd698639b5b52dba 7a7fc58ae8075ad7 (size=16).
2019-09-23 23:32:19.115 +0530 [INFO]: { 116: 118}: IPsec-SA request for 2120:122:8101:250::4 queued since no phase1 found
2019-09-23 23:32:19.115 +0530 [PNTF]: { 116: }: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 2601:df1:e307:30::1[500]-2120:122:8101:250::4[500] cookie:c0806da5f931ddbe:0000000000000000 <====
2019-09-23 23:32:23.872 +0530 [PNTF]: { 96: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=85fef5a537002a54 ca70c0ca7f3d38cb (size=16).
2019-09-23 23:32:26.093 +0530 [PNTF]: { 99: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=3066d34341202b49 5b10e30a449e5899 (size=16).
2019-09-23 23:32:27.126 +0530 [PNTF]: { 97: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=fd698639b5b52dba 7a7fc58ae8075ad7 (size=16).
2019-09-23 23:32:29.747 +0530 [PNTF]: { 98: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=9899190a975987a2 b5eacde362c04df8 (size=16).
2019-09-23 23:32:38.114 +0530 [PNTF]: { 99: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=3066d34341202b49 5b10e30a449e5899 (size=16).
2019-09-23 23:32:41.145 +0530 [PNTF]: { 97: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=fd698639b5b52dba 7a7fc58ae8075ad7 (size=16).
2019-09-23 23:32:41.758 +0530 [PNTF]: { 98: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=9899190a975987a2 b5eacde362c04df8 (size=16).
2019-09-23 23:32:52.000 +0530 [PNTF]: { 116: }: ====> PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE <====
====> Failed SA: 2601:df1:e307:30::1[500]-2120:122:8101:250::4[500] cookie:c0806da5f931ddbe:0000000000000000 <==== Due to timeout.
2019-09-23 23:32:52.000 +0530 [INFO]: { 116: }: ====> PHASE-1 SA DELETED <====

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

There are really only 1 way an IKE Gateway (phase 1) is established.  One side needs to initiate the other side needs to respond, just like an 2 way communication (human speech for example).

 

Your message states PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE, which means, YOUR side is attempting to communicate, but the RESPONDING site is not communicating with you... hence failed as initiator.  Your issue (right or wrong) seems to be establishing communication from the remote side first, and then you side will either connect or will provide information about failing "as the responder" side.

 

Are you 100% able to confirm your VPN phase 1 setup traffic is being received by the other side?  How do you know, and how can you show us, the laypeople are are here to assist you?  At this time, I am not (yet) convinced this is your PANW issue. 

 

You can go into the IKE Gateway configuration on your FW, go to Advance Tab, and hit the check box for Passive Mode.

This will make your FW only respond when the other side initiates. Make sure you do a commit before testing.

 

Show us logs when the other side starts and we can assist you.

 

Help the community: Like helpful comments and mark solutions

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

There are really only 1 way an IKE Gateway (phase 1) is established.  One side needs to initiate the other side needs to respond, just like an 2 way communication (human speech for example).

 

Your message states PHASE-1 NEGOTIATION FAILED AS INITIATOR, MAIN MODE, which means, YOUR side is attempting to communicate, but the RESPONDING site is not communicating with you... hence failed as initiator.  Your issue (right or wrong) seems to be establishing communication from the remote side first, and then you side will either connect or will provide information about failing "as the responder" side.

 

Are you 100% able to confirm your VPN phase 1 setup traffic is being received by the other side?  How do you know, and how can you show us, the laypeople are are here to assist you?  At this time, I am not (yet) convinced this is your PANW issue. 

 

You can go into the IKE Gateway configuration on your FW, go to Advance Tab, and hit the check box for Passive Mode.

This will make your FW only respond when the other side initiates. Make sure you do a commit before testing.

 

Show us logs when the other side starts and we can assist you.

 

Help the community: Like helpful comments and mark solutions

Hi Steve,

Thanks for your suggestion and its working now. 🙂 
sorry replying late..i was OOO.

  • 1 accepted solution
  • 3735 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!