Faild Starting Phase1

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Faild Starting Phase1

L4 Transporter

Hi Group I am really ready to pull the hair out of my head.  🙂

For 3 months or so, I have had a VPN between my PA-200 to a PA-500 at my remote office. All was working fine.

Last night I come back into the office to find the VPN down, and not sure why. I am looking at my PA-200 which has exact configuration.

I can see via my pcaps that I am attempting to transmit my IPSEC traffic via agressive mode from my PA-200 to my destination PA-500 FW.

On my PA-500, I look in the system logs, and am seeing countless of messages "failed starting phase1"

Ok, I re-did my entire configuration on the PA-500, deleted old config, commit, created new config, and then commit.

Still getting failed starting phase1 I need to understand WHY is happening.

I do not have any insight or log to determine why it is failing to start. My PA-200 has dynamic IP, so I know my local PA-200 which be initiating the tunnel.

Looking at my traffic logs, and filtering on the public IP of my PA-200, I am not seeing any matching traffic.

No changes to my policy, but now, I am starting to open my firewall open in hopes to catch some sort of inbound traffic.

I could use some insight on this.



L4 Transporter

Well, I have no idea, but because I am playing in a lab, I just deleted all my rules and started over. The VPN tunnel is now back up with a smaller subset the exact rules. This is the 5th time I have seen a perfectly working VPN configuration just stop working and by putting in a different policy, it just magically works. I think there is something to be investigated in this 5.0.2 to 5.0.4 software......

Have you filed this as a bug to the support?

I have seen some threads aswell in this forum regarding VPN issues which seems to be fixed when you recreate the VPN settings.

One of the issues I think was when the order of where the VPN settings are placed within the running-config file was changed between two releases.

Is it possible for you to do a diff between the faulting config and the config which now works? Im thinking of if some naming standards has been changed which wasnt pickedup by the conversation scripts (which I assume exists when you go from one version into another?).

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!