IKE SA negotiation is started as initiator, non-rekey

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IKE SA negotiation is started as initiator, non-rekey

L1 Bithead

Hello :),

I have a problem with VPN from PA-220 to Azure. The logs show this information : "IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA " 

Every change I made it always is this same error. Is there any way to resolve this issue ?

 

 

Thanks in advance 🙂

9 REPLIES 9

Hi @Lukaszm1 ,

 

The log you have shared doesn't contain any error. It indicates that FW is trying to negotiate Phase1. The key point here is that FW is starting the negotiation ("as initiator"), due to the nature of the IPsec the initiator will not log the real reason why negotiation is failing.

 

You can try to enable passive mode under the IKE Gateway advance options - this will force the firewall to act only as responder and waits for the Azure to trigger negotiation. That way you should see more "detailed" log what could be the reason for the unsuccessful negotiation. Note that in thi case you need to find a way to tell Azure to start first - either by sending traffic from azure to on-prem network or by any "azure troubleshooting commands".

Hi ,

Thanks for fast replay , i try this but still no luck,  It is also very strange i have this same configuration on different location and it works without any problems. 

 

 

After change the ike to passive i have this information in logs :

 

Lukaszm1_0-1620811014093.png

 

Hi @Lukaszm1 ,

 

These logs are not related to the VPN negotiation, but rather with configuration commit.AlexanderAstardzhiev_0-1620827089325.png

 

If you have enabled passive mode on the FW and you don't see anything else it probably means Azure is not even trying.

If you don't have a way to force Azure to start negotiation, you can disable again the passive mode and run packet capture for IKE packets on the FW. Under CLI run:
> debug ike pcap on (this will capture any ike packets so if you have other tunnel already running in this fw it will capture them as well)
> debug ike pcap view

 

Hi,

Thanks again, I found what was the problem, I make a mistake in polices and there was a bad ip address on it to the azure ;/ . 

No it is working 🙂

 

Thanks ! 🙂 

 

Hi @Lukaszm1

I'm having the very same issue, 

 

What do you mean by "there was a bad IP on it to azure"?

Thanks!

Hi @bcalderon 

Check the configuration on the Policies there should be entry with information that You allow the connection from Your WAN ip address to the other site IP Address.  

L1 Bithead

Hello @Lukaszm1 

So a Security Policy could prevent the establishment of phase 1? 
I thought a policy could affect the traffic flow between zones, but once the tunnel was up and running...

 

Thanks, going to check that

Hello @bcalderon 

In My case it do the job, after add proper ip address it established with no problem. Try to do that and see what happend. On the application add " ike and ipsec" it should be enough to have more granular control. 

L1 Bithead

Hello @Lukaszm1

Thanks a lot for your help, 

 

Actually, the issue was solved with a reboot haha, 

 

When doubt, reboot!

Regards.

  • 22567 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!