This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IPSEC Phase-1 fails as initiator but not as responder

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPSEC Phase-1 fails as initiator but not as responder

dan731028
L3 Networker

‎03-31-2015 06:08 PM

Hello support community,
I'm using a PAN 3020 A/P cluster on the perimeter running 6.0.9.  At all of my remote sites I have a cisco ASA that uses IPSEC tunnels to connect back to the main network.  The IPSEC tunnel configuration (IKE phase 1, IKE phase 2, and peer IDs) are consistent across my remote sites (best to my knowledge).  Out of my 8 IPSEC tunnels, when I try to initiate the tunnel to one site I receive the following in the system logs where X is the remote peer and Y is the local peer: "received unencrypted Notify payload (NO-PROPOSAL-CHOSEN) from IP X.X.X.X[500] to Y.Y.Y.Y[500], ignored."  I then get: "IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: Y.Y.Y.Y[500]-72.28.162.32[500] cookie:cbf02ee495115ae1:0000000000000000. Due to timeout.'

If the PAN is the responder, the tunnel comes up: "IKE phase-1 negotiation is succeeded as responder, main mode. Established SA: Y.Y.Y.Y[500]-X.X.X.X[20796] cookie:2790c31cdce7deae:05a5f962eee2989b lifetime 86400 Sec."

Looking at the interpret-vpn-error-messages.html page, I would think if there was a proposal mismatch in the IKE Crypto profile, it would fail as both initiator and responder. I've verified the isakmp policy on the cisco side matches what's configured in the IKE Crypto policy, and I've verified the firewall is allowing the traffic via security policy.

Any ideas why I'm failing as an initiator?

2 people had this problem.
Labels:
0 Likes Likes
2 REPLIES 2

Satish
L4 Transporter

‎03-31-2015 10:00 PM

Hi Dan,


IPSec Interoperability Between Palo Alto Firewalls and Cisco ASA


Please find the below link for the Ipsec VPN configuration :-

https://live.paloaltonetworks.com/docs/DOC-2579

https://live.paloaltonetworks.com/docs/DOC-6791

Kindly let us know if  any further support is required.

Regards

Satish

0 Likes Likes

pulukas
L7 Applicator

‎04-01-2015 03:14 AM

Since you know the actual crypto settings are correct, I would suspect one of these:

There is some kind of firewall blocking your request as initiator to the ASA interface.  But as a responder you match the session created by the ASA so it works.

The Cisco configuration has the initiator only command in the configuration so it will not respond.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 4494 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks