Always get "likely" pre-shared key mismatch

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Always get "likely" pre-shared key mismatch

Not applicable

I tried to configure Site-to-site VPN from PAN 5.0.5 to Juniper Netscreen OS.

Even I type very according easy pre-shared key. On PAN it always shown

"IKE phase-1 negotiation is failed likely due to pre-shared key mismatch"

Anyone have any suggestion?

Thank you.

1 accepted solution

Accepted Solutions

Hi HULK,

Thank you for your help. I'm now able to solve this. It was compatibility issue. I've discovered that on Juniper stated SHA2-256 but on PAN stated sha256 -> I expect this give the same result but not.

So fallback to SHA1 is my solution to this event.

More fix for PAN -> I expect better error message not just "likely" LoL ^^

to HULK Thank a lot.

AM

View solution in original post

6 REPLIES 6

L7 Applicator

Hello Sir,

Could you please re-enter the pre-shared key on the other end device also. Also try below mentioned steps:

1. Clear any discard-state session for S-port=500 and d-port=500 with the help of CLI command

> clear session all filter state discard source-port 500 destination-port 500

If this is the only VPN tunnel configured on this PAN firewall, then also try:

> clear session all filter source-port 500 destination-port 500

2. Try to make the PAN firewall as a responder for VPN and test.

VPN-passive mode.JPG.jpg

Thanks

Hi HULK,

Thanks for your reply ^^ I've tried your suggestion but still no luck. I try to examine the hash of pre-shared key no both side but I think it will not help (Just in case it stored with the same hash but it turn out different but I don't doubt that)

Here's what I got on ScreenOS.

2014-01-13 17:36:27    info    IKE "PAN-IP" phase 1:The symmetric crypto key has been generated successfully.

2014-01-13 17:36:27    info    IKE"ScreenOS-IP" "PAN-IP" Phase 1: Initiated negotiations in main mode.

2014-01-13 17:36:15    info    IKE "PAN-IP" Phase 1: Retransmission limit has been reached.

2014-01-13 17:35:27    info    IKE "PAN-IP" phase 1:The symmetric crypto key has been generated successfully.

2014-01-13 17:35:27    info    IKE"ScreenOS-IP" "PAN-IP" Phase 1: Initiated negotiations in main mode.

2014-01-13 17:35:15    info    IKE "PAN-IP" Phase 1: Retransmission limit has been reached.

2014-01-13 17:34:27    info    IKE "PAN-IP" phase 1:The symmetric crypto key has been generated successfully.

2014-01-13 17:34:27    info    IKE"ScreenOS-IP" "PAN-IP" Phase 1: Initiated negotiations in main mode.

and here from PAN-OS 5.0.5

1    13-01-14 17:46    9401000816    SYSTEM    vpn    0    13-01-14 17:46        ike-nego-p1-delete    Office_VPNGW    0    0    general    informational    IKE phase-1 SA is deleted SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:55d138c5d3a1bffd:4b28a9d9c57d8fbd.    64352    0x0

1    13-01-14 17:46    9401000816    SYSTEM    vpn    0    13-01-14 17:46        ike-nego-p1-fail    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed as responder, main mode. Failed SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:55d138c5d3a1bffd:4b28a9d9c57d8fbd. Due to timeout.    64351    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64350    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64349    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64348    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64347    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64346    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64345    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64344    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64343    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64342    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64341    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64340    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64339    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-start    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is started as responder, main mode. Initiated SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:55d138c5d3a1bffd:4b28a9d9c57d8fbd.    64338    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-delete    Office_VPNGW    0    0    general    informational    IKE phase-1 SA is deleted SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:b8cfe8c9f96e4225:b688c89484088d3c.    64337    0x0

1    13-01-14 17:45    9401000816    SYSTEM    vpn    0    13-01-14 17:45        ike-nego-p1-fail    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed as responder, main mode. Failed SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:b8cfe8c9f96e4225:b688c89484088d3c. Due to timeout.    64336    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64335    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64334    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64333    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64332    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64331    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64330    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64329    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64328    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64327    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64326    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64325    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-fail-psk    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.    64324    0x0

1    13-01-14 17:44    9401000816    SYSTEM    vpn    0    13-01-14 17:44        ike-nego-p1-start    Office_VPNGW    0    0    general    informational    IKE phase-1 negotiation is started as responder, main mode. Initiated SA: "PAN-IP"[500]-"ScreenOS-IP"[500] cookie:b8cfe8c9f96e4225:b688c89484088d3c.    64323    0x0

T^T

Hello Sir,

Thanks for your update and could you please go through the knowledge base article IKE Phase-1 Negotiation is Failed as Responder   and verify all settings again.


  • It is not possible to ping from the VPN gateway IP of the PAN to the VPN gateway IP of the firewall at the other end of the tunnel.
  • It is possible to ping from the PAN to the VPN gateway IP of the other firewall if a source IP (PAN VPN gateway IP) is not specified.
  • The IPSec VPN is working correctly.
  • VPN configuration is correct on both firewalls.
  • Security policy configuration is correct on both firewalls.

Resolution

Check the routing table of devices between the firewalls.  A route table entry may need to be added or removed to provide proper network connectivity.

Thanks

Hi HULK,

^^ here what I've seen.

  • It is not possible to ping from the VPN gateway IP of the PAN to the VPN gateway IP of the firewall at the other end of the tunnel.

[AM] Yes this from PAN cannot ping to another VPN gateway because it was not allow on PAN. But after allow it still have same problem.

  • It is possible to ping from the PAN to the VPN gateway IP of the other firewall if a source IP (PAN VPN gateway IP) is not specified.

[AM] Nah, After policy to allow traffic was added. either specify or not specify source IP ping is success.

  • The IPSec VPN is working correctly.

[AM] the VPN never came up since it "likly" mismatch -_-"

  • VPN configuration is correct on both firewalls.

[AM] Yes I think so. Just PAN that newly established but the same configuration as others.

  • Security policy configuration is correct on both firewalls.

[AM] Yes all required IPSec traffic has been allow.

I am really doubt in pre-shared key likly not match how come this happen and anyway to do deep diagnostic?

Again I type and retype start from general complexity 20 char with symbol and number like other firewall brands but not success and I move down a little but now its very simple 15 char only still "likely" not match T^T

Hello Sir,

I would request you to open a case with PAN support for this issue and pls share the case ID here.

Thanks

Hi HULK,

Thank you for your help. I'm now able to solve this. It was compatibility issue. I've discovered that on Juniper stated SHA2-256 but on PAN stated sha256 -> I expect this give the same result but not.

So fallback to SHA1 is my solution to this event.

More fix for PAN -> I expect better error message not just "likely" LoL ^^

to HULK Thank a lot.

AM

  • 1 accepted solution
  • 10333 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!