08-07-2023 04:39 PM
We are running into issues with VPN when we chose not to use PROXY ids between two PA firewalls.
We see it works fine when we add the proxy ids, but we shouldn't need to if both of them are Palo Alto, isn't it?
We see phase 2 keeps failing and the tunnel would not come up.
"IKE phase-2 negotiation failed when processing proxy ID. Cannot find matching phase-2 tunnel for received proxy ID..."
We have already tried disabling the gateways, deleting and recreating the gateway as well as the tunnel again - doesn't help either.
Made sure there were no stale sessions still existing.
We lastly also tried to upgrade to the preferred version 10.1.10-h1 - and we still see the same behavior.
Any help or suggestions are appreciated. TIA
08-08-2023 06:20 AM
You cut out the most important part from a troubleshooting aspect; what does that error say the received local id and received remote id are?
08-08-2023 10:10 AM
@BPry The only error we see is:
The strange part is as soon as we put in the Proxy ID on both the PA firewall tunnel comes up correctly with no issues. If we remove the proxy Phase-2 fails and we see Local ID and Remote ID still the same. We have already deleted the IKE gateway and IPSEC tunnel as well completely but still once we try and build the tunnel without proxy Phase-2 fails with same error.
Customer has also upgraded the software version to 10.1.10-h1.
08-11-2023 12:32 PM
Hi @BPry If you could please review this and help us here. Thanks
08-14-2023 09:39 AM
Any Help?
We have also rebooted a couple of times but still same
08-24-2023 09:37 AM
Hi Team
Any help in understanding what could have caused this issue?
08-27-2023 12:08 AM
Could you show us the ipsec configurations of both sides? Because the screenshot you showed actually means that there are proxy IDs configured and because of that your firewall is not able to find a matching entry. If the tunnel is only built up in the direction from your customer to you, then your proxy IDs can be empty as your firewall will accept any entry (as long there is only one. If there are more then you will have issues as the tunnel changes over and over).
08-28-2023 07:14 PM
Does the P2 makes match in both FW? Can I see your configuration in both sides?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
