IPSec Phase 1 tunnel not connecting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPSec Phase 1 tunnel not connecting

L0 Member

Hello Everyone,

 

Need your support to fix a FW to FW PA IPSec Phase 1 tunnel not connecting.

 

I have checked the setting with the vendor and configuration is same at both the ends.

 

Below are the debug logs from PA

 

2023-11-30 14:30:40.000 +0400 [DEBG]: { 3: }: 180 bytes from 5.41.58.98[500] to 215.70.10.151[500]
2023-11-30 14:30:40.000 +0400 [DEBG]: 5.41.58.98[500] - 215.70.10.151[500]:(nil) 1 times of 180 bytes message will be sent over socket 1024
2023-11-30 14:30:40.000 +0400 [DEBG]: { 3: }: resend phase1 packet 440c0aafbf89757a:29c7baa57f364bfa, retry 1
2023-11-30 14:30:40.004 +0400 [DEBG]: processing isakmp packet
2023-11-30 14:30:40.004 +0400 [DEBG]: ===
2023-11-30 14:30:40.004 +0400 [DEBG]: 92 bytes message received from 215.70.10.151
2023-11-30 14:30:40.004 +0400 [DEBG]: chk packet 50089829:20 size 92, rcp 2, NF rc -1
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: begin decryption.
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: IV was saved for next processing:
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: with key:
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: decrypted payload by IV:
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: decrypted payload, but not trimed.
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: padding len=209
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: decrypted.
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: begin.
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: seen nptype=5(id)
2023-11-30 14:30:40.004 +0400 [DEBG]: { 3: }: succeed.
2023-11-30 14:30:40.004 +0400 [PERR]: { 3: }: 5.41.58.98[500] - 215.70.10.151[500]:(nil) few isakmp message received.
2023-11-30 14:30:41.594 +0400 [DEBG]: processing isakmp packet
2023-11-30 14:30:41.594 +0400 [DEBG]: ===
2023-11-30 14:30:41.594 +0400 [DEBG]: 92 bytes message received from 215.70.10.151
2023-11-30 14:30:41.594 +0400 [DEBG]: chk packet 50089829:20 size 92, rcp 2, NF rc -1
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: begin decryption.
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: IV was saved for next processing:
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: with key:
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: decrypted payload by IV:
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: decrypted payload, but not trimed.
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: padding len=209
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: decrypted.
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: begin.
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: seen nptype=5(id)
2023-11-30 14:30:41.594 +0400 [DEBG]: { 3: }: succeed.
2023-11-30 14:30:41.594 +0400 [PERR]: { 3: }: 5.41.58.98[500] - 215.70.10.151[500]:(nil) few isakmp message received.
2023-11-30 14:30:42.000 +0400 [DEBG]: { 3: }: 180 bytes from 5.41.58.98[500] to 215.70.10.151[500]
2023-11-30 14:30:42.000 +0400 [DEBG]: 5.41.58.98[500] - 215.70.10.151[500]:(nil) 1 times of 180 bytes message will be sent over socket 1024
2023-11-30 14:30:42.000 +0400 [DEBG]: { 3: }: resend phase1 packet 440c0aafbf89757a:29c7baa57f364bfa, retry 2
2023-11-30 14:30:42.004 +0400 [DEBG]: processing isakmp packet
2023-11-30 14:30:42.004 +0400 [DEBG]: ===
2023-11-30 14:30:42.004 +0400 [DEBG]: 92 bytes message received from 215.70.10.151
2023-11-30 14:30:42.004 +0400 [DEBG]: chk packet 50089829:20 size 92, rcp 2, NF rc -1
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: begin decryption.
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: IV was saved for next processing:
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: encryption(3des)
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: with key:
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: decrypted payload by IV:
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: decrypted payload, but not trimed.
2023-11-30 14:30:42.004 +0400 [DEBG]: { 3: }: padding len=209
2023-11-30 14:30:42.005 +0400 [DEBG]: { 3: }: decrypted.
2023-11-30 14:30:42.005 +0400 [DEBG]: { 3: }: begin.
2023-11-30 14:30:42.005 +0400 [DEBG]: { 3: }: seen nptype=5(id)
2023-11-30 14:30:42.005 +0400 [DEBG]: { 3: }: succeed.
2023-11-30 14:30:42.005 +0400 [PERR]: { 3: }: 5.41.58.98[500] - 215.70.10.151[500]:(nil) few isakmp message received.
2023-11-30 14:30:43.000 +0400 [PNTF]: { 3: }: ====> PHASE-1 NEGOTIATION FAILED AS RESPONDER, MAIN MODE <====
====> Failed SA: 5.41.58.98[500]-215.70.10.151[500] cookie:3f32b1eb6993ebe3:12554596cd819655 <==== Due to timeout.
2023-11-30 14:30:43.000 +0400 [INFO]: { 3: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 5.41.58.98[500]-215.70.10.151[500] cookie:3f32b1eb6993ebe3:12554596cd819655 <====
2023-11-30 14:30:43.000 +0400 [DEBG]: IV freed

 

Thanks

1 REPLY 1

Cyber Elite
Cyber Elite

looks like an issue with either the local/peer ID, or maybe the preshared secret (or security policy)

 

is either of these devices behind a NAT gateway? if thats the case you'll need to enable NAT traversal and configure local and peer IDs for the device behind NAT

else try to reset your PSK

(also double check if both are set to the same IKE version

 

also check if ipsec is allowed via security policy on both sides

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 298 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!