Issues without using Proxy IDs on IPSEC tunnel

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issues without using Proxy IDs on IPSEC tunnel

L2 Linker

We are running into issues with VPN when we chose not to use PROXY ids between two PA firewalls.

We see it works fine when we add the proxy ids, but we shouldn't need to if both of them are Palo Alto, isn't it?

We see phase 2 keeps failing and the tunnel would not come up.

"IKE phase-2 negotiation failed when processing proxy ID. Cannot find matching phase-2 tunnel for received proxy ID..."

We have already tried disabling the gateways, deleting and recreating the gateway as well as the tunnel again  - doesn't help either. 

Made sure there were no stale sessions still existing.

We lastly also tried to upgrade to the preferred version 10.1.10-h1 - and we still see the same behavior.

Any help or suggestions are appreciated. TIA 



Cyber Elite
Cyber Elite


You cut out the most important part from a troubleshooting aspect; what does that error say the received local id and received remote id are? 

L2 Linker

@BPry  The only error we see is:


The strange part is as soon as we put in the Proxy ID on both the PA firewall tunnel comes up correctly with no issues. If we remove the proxy Phase-2 fails and we see Local ID and Remote ID still the same. We have already deleted the IKE gateway and IPSEC tunnel as well completely but still once we try and build the tunnel without proxy Phase-2 fails with same error.

Customer has also upgraded the software version to 10.1.10-h1.

Hi @BPry  If you could please review this and help us here. Thanks

L2 Linker

Any Help?


We have also rebooted a couple of times but still same

L2 Linker

Hi Team

Any help in understanding what could have caused this issue?

L7 Applicator

Could you show us the ipsec configurations of both sides? Because the screenshot you showed actually means that there are proxy IDs configured and because of that your firewall is not able to find a matching entry. If the tunnel is only built up in the direction from your customer to you, then your proxy IDs can be empty as your firewall will accept any entry (as long there is only one. If there are more then you will have issues as the tunnel changes over and over).

L1 Bithead

Does the P2 makes match in both FW? Can I see your configuration in both sides? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!