IKE phase 2 negotiation fail

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IKE phase 2 negotiation fail

L1 Bithead

Hi,

I'm having a hard time bringing up a VPN tunnel from my PA-5020 to a Cisco firewall.  I'm getting the following:

'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 10.13.247.43/32 type IPv4_address protocol 0 port 0, received remote id: 192.168.10.200/32 type IPv4_address protocol 0 port 0.'

My search indicates that it's a mismatch with the Cisco firewall ACL.  Would I be correct in assuming that their ACL references address protocol 0 port 0 instead of the specific ports we agreed upon during the design?

Thanks.

1 accepted solution

Accepted Solutions

L1 Bithead

Sorry for the late reply.  Missing proxy-ID was the problem.  Fixed now.  Thank you!

View solution in original post

3 REPLIES 3

L7 Applicator

Hello przyboro,

Generally speaking, most of the customer refers only local and remote subnet. As per the logs, please ensure that PAN is configured with Local PROXY ID as 192.168.10.200/32 and remote PROXY ID as 10.13.247.43/32. Please find below an example:

proxy-ID.JPG

Notes: If you have specified any port and protocol in Cisco ACL, then only, it is required to add on PAN firewall.

Hope this helps.

Thanks

Thank you for this information.  I will be testing this out shortly.

L1 Bithead

Sorry for the late reply.  Missing proxy-ID was the problem.  Fixed now.  Thank you!

  • 1 accepted solution
  • 4508 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!