04-04-2019 01:10 PM
Hi all,
I've just installed a PA 3220 and there're dynamics VPNs tunnel. IKEs are up. However, phase 2 (tunnel) aren't coming up.
Looking at the logs I see the following logs for all VPNs .
"initiate negotiation to dynamic peer from IKE gateway is not allowed"
My outside interface is allowing IKE and IPSec, I don't see packets being dropped.
04-04-2019 02:09 PM - edited 04-04-2019 02:10 PM
Do you have any other logs?
04-05-2019 03:35 AM
That's what I can see on the logs
04-05-2019 01:07 PM
Whatever firewall is the dynamic peer needs to be the initiator of the VPN tunnel and not the responder. Ensure that you don't have the "Enable Passive Mode" option checked.
01-14-2020 05:58 AM - edited 01-14-2020 06:00 AM
The Enable Passive Mode option should be checked on the non-dynamic addressed firewall and not on the dynamic remote firewalls?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0
"With this option enabled, the firewall responds to incoming connection negotiations as it would normally do, but it will no longer initiate outgoing negotiations. "
01-14-2020 06:06 AM
Correct. On the non-dynamic firewall you want passive-mode enabled, and on the dynamic firewall you want to ensure that passive mode is not enabled. That will ensure that only the dynamic firewall is attempting to establish communication with the non-dynamic firewall, which works perfectly fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
