- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-09-2021 02:18 AM
Please excuse me as I am still learning and am relatively inexperienced. I assume the phase 2 status can be red for following reasons (assuming IKE phase 1 is all correct and working) Authentication, Encryption, DH settings being incorrect/mismatched or lifetime expiring. Are there any other reasons it would be red perhaps to do with remote or local LANs or IPs and could you explain in layman terms?
07-09-2021 10:27 AM
Hello,
You are correct that you can have a good phase 1 and a bad phase 2. Most of the time its a configuration mismatch, could be passphrase.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
Hope that helps.
07-09-2021 09:33 PM
Also if local and remote proxy ids does not match that can also cause phase 2 shown as red.
Regards
07-11-2021 08:48 AM
I would disagree with @OtakarKlier. If pre-shared key is wrong phase1 will not be completed. If phase1 is established, this means the pre-shared key (alongwith the rest of phase1 settings) is the same on both ends.
And would agree with @MP18 - most common reason for failing phase2 is local and remote proxy id (encryption domains). But similar to phase1 it could also fail due to Authentication, Encryption or DH settings
07-12-2021 11:06 AM
@aleksandar.astardzhiev Is there an authentication in Phase2? I thought auth piece only happens in the phase1 of the negotiation.
07-12-2021 11:40 AM - edited 07-12-2021 11:41 AM
Yep my bad on that passphrase part.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!