I have a problem with VPN from PA-220 to Azure. The logs show this information : "IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA "
Every change I made it always is this same error. Is there any way to resolve this issue ?
Thanks in advance
Hi @Lukaszm1 ,
The log you have shared doesn't contain any error. It indicates that FW is trying to negotiate Phase1. The key point here is that FW is starting the negotiation ("as initiator"), due to the nature of the IPsec the initiator will not log the real reason why negotiation is failing.
You can try to enable passive mode under the IKE Gateway advance options - this will force the firewall to act only as responder and waits for the Azure to trigger negotiation. That way you should see more "detailed" log what could be the reason for the unsuccessful negotiation. Note that in thi case you need to find a way to tell Azure to start first - either by sending traffic from azure to on-prem network or by any "azure troubleshooting commands".
Hi @Lukaszm1 ,
These logs are not related to the VPN negotiation, but rather with configuration commit.
If you have enabled passive mode on the FW and you don't see anything else it probably means Azure is not even trying.
If you don't have a way to force Azure to start negotiation, you can disable again the passive mode and run packet capture for IKE packets on the FW. Under CLI run:
> debug ike pcap on (this will capture any ike packets so if you have other tunnel already running in this fw it will capture them as well)
> debug ike pcap view
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!