- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-12-2014 06:44 PM
I tried to configure Site-to-site VPN from PAN 5.0.5 to Juniper Netscreen OS.
Even I type very according easy pre-shared key. On PAN it always shown
"IKE phase-1 negotiation is failed likely due to pre-shared key mismatch"
Anyone have any suggestion?
Thank you.
01-16-2014 07:19 PM
Hi HULK,
Thank you for your help. I'm now able to solve this. It was compatibility issue. I've discovered that on Juniper stated SHA2-256 but on PAN stated sha256 -> I expect this give the same result but not.
So fallback to SHA1 is my solution to this event.
More fix for PAN -> I expect better error message not just "likely" LoL ^^
to HULK Thank a lot.
AM
01-12-2014 11:23 PM
Hello Sir,
Could you please re-enter the pre-shared key on the other end device also. Also try below mentioned steps:
1. Clear any discard-state session for S-port=500 and d-port=500 with the help of CLI command
> clear session all filter state discard source-port 500 destination-port 500
If this is the only VPN tunnel configured on this PAN firewall, then also try:
> clear session all filter source-port 500 destination-port 500
2. Try to make the PAN firewall as a responder for VPN and test.
Thanks
01-13-2014 03:03 AM
Hi HULK,
Thanks for your reply ^^ I've tried your suggestion but still no luck. I try to examine the hash of pre-shared key no both side but I think it will not help (Just in case it stored with the same hash but it turn out different but I don't doubt that)
Here's what I got on ScreenOS.
2014-01-13 17:36:27 info IKE "PAN-IP" phase 1:The symmetric crypto key has been generated successfully.
2014-01-13 17:36:27 info IKE"ScreenOS-IP" "PAN-IP" Phase 1: Initiated negotiations in main mode.
2014-01-13 17:36:15 info IKE "PAN-IP" Phase 1: Retransmission limit has been reached.
2014-01-13 17:35:27 info IKE "PAN-IP" phase 1:The symmetric crypto key has been generated successfully.
2014-01-13 17:35:27 info IKE"ScreenOS-IP" "PAN-IP" Phase 1: Initiated negotiations in main mode.
2014-01-13 17:35:15 info IKE "PAN-IP" Phase 1: Retransmission limit has been reached.
2014-01-13 17:34:27 info IKE "PAN-IP" phase 1:The symmetric crypto key has been generated successfully.
2014-01-13 17:34:27 info IKE"ScreenOS-IP" "PAN-IP" Phase 1: Initiated negotiations in main mode.
and here from PAN-OS 5.0.5
1 13-01-14 17:46 9401000816 SYSTEM vpn 0 13-01-14 17:46 ike-nego-p1-delete Office_VPNGW 0 0 general informational IKE phase-1 SA is deleted SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:55d138c5d3a1bffd:4b28a9d9c57d8fbd. 64352 0x0
1 13-01-14 17:46 9401000816 SYSTEM vpn 0 13-01-14 17:46 ike-nego-p1-fail Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed as responder, main mode. Failed SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:55d138c5d3a1bffd:4b28a9d9c57d8fbd. Due to timeout. 64351 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64350 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64349 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64348 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64347 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64346 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64345 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64344 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64343 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64342 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64341 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64340 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64339 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-start Office_VPNGW 0 0 general informational IKE phase-1 negotiation is started as responder, main mode. Initiated SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:55d138c5d3a1bffd:4b28a9d9c57d8fbd. 64338 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-delete Office_VPNGW 0 0 general informational IKE phase-1 SA is deleted SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:b8cfe8c9f96e4225:b688c89484088d3c. 64337 0x0
1 13-01-14 17:45 9401000816 SYSTEM vpn 0 13-01-14 17:45 ike-nego-p1-fail Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed as responder, main mode. Failed SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:b8cfe8c9f96e4225:b688c89484088d3c. Due to timeout. 64336 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64335 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64334 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64333 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64332 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64331 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64330 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64329 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64328 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64327 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64326 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64325 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-fail-psk Office_VPNGW 0 0 general informational IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. 64324 0x0
1 13-01-14 17:44 9401000816 SYSTEM vpn 0 13-01-14 17:44 ike-nego-p1-start Office_VPNGW 0 0 general informational IKE phase-1 negotiation is started as responder, main mode. Initiated SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:b8cfe8c9f96e4225:b688c89484088d3c. 64323 0x0
T^T
01-13-2014 07:39 AM
Hello Sir,
Thanks for your update and could you please go through the knowledge base article IKE Phase-1 Negotiation is Failed as Responder and verify all settings again.
Check the routing table of devices between the firewalls. A route table entry may need to be added or removed to provide proper network connectivity.
Thanks
01-14-2014 02:30 AM
Hi HULK,
^^ here what I've seen.
[AM] Yes this from PAN cannot ping to another VPN gateway because it was not allow on PAN. But after allow it still have same problem.
[AM] Nah, After policy to allow traffic was added. either specify or not specify source IP ping is success.
[AM] the VPN never came up since it "likly" mismatch -_-"
[AM] Yes I think so. Just PAN that newly established but the same configuration as others.
[AM] Yes all required IPSec traffic has been allow.
I am really doubt in pre-shared key likly not match how come this happen and anyway to do deep diagnostic?
Again I type and retype start from general complexity 20 char with symbol and number like other firewall brands but not success and I move down a little but now its very simple 15 char only still "likely" not match T^T
01-14-2014 07:01 AM
Hello Sir,
I would request you to open a case with PAN support for this issue and pls share the case ID here.
Thanks
01-16-2014 07:19 PM
Hi HULK,
Thank you for your help. I'm now able to solve this. It was compatibility issue. I've discovered that on Juniper stated SHA2-256 but on PAN stated sha256 -> I expect this give the same result but not.
So fallback to SHA1 is my solution to this event.
More fix for PAN -> I expect better error message not just "likely" LoL ^^
to HULK Thank a lot.
AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!