Phase 2 tunnel status

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Phase 2 tunnel status

L2 Linker
 

Please excuse me as I am still learning and am relatively inexperienced. I assume the phase 2 status can be red for following reasons (assuming IKE phase 1 is all correct and working) Authentication, Encryption, DH settings being incorrect/mismatched or lifetime expiring. Are there any other reasons it would be red perhaps to do with remote or local LANs or IPs and could you explain in layman terms?  

 

 

 

ipsec tunnel status.jpg

 

 

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

You are correct that you can have a good phase 1 and a bad phase 2. Most of the time its a configuration mismatch, could be passphrase.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK

Hope that helps.

Cyber Elite
Cyber Elite

@pink-panther 

 

Also if local and remote proxy ids does not match that can also cause phase 2 shown as red.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Hi @pink-panther 

 

I would disagree with @OtakarKlier. If pre-shared key is wrong phase1 will not be completed. If phase1 is established, this means the pre-shared key (alongwith the rest of phase1 settings) is the same on both ends.

 

And would agree with @MP18 - most common reason for failing phase2 is local and remote proxy id (encryption domains). But similar to phase1 it could also fail due to Authentication, Encryption or DH settings

@aleksandar.astardzhiev  Is there an authentication in Phase2? I thought auth piece only happens in the phase1 of the negotiation.

Cyber Elite
Cyber Elite

Yep my bad on that passphrase part.

  • 3191 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!