10-28-2015 04:11 PM
We have connected several branch offices using PA200 and PA500 with ipsec tunnels to a PA3020 at our corporate office.
The corporate server is registering similare errors twice every 3 seconds. The error:
IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP xxx.xxx.xxx.xxx[52402], ID ipaddr:yyy.yyy.yyy.yyy.
and
IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP xxx.xxx.xxx.xxx[24211], ID ipaddr:yyy.yyy.yyy.yyy.
The only difference is the number in brackets following the peer IP address.
We have a remote site with an IP address of xxx.xxx.xxx.xxx but its tunnels are up and the yyy.yyy.yyy.yyy sddress cannot be found anywhere in the configurations. The yyy.yyy.yyy.yyy IP address cannot be located in the corporate firewall either.
How can I determine where the request iscoming from so I can stop it?
What do the numbers in the brackets following the peer IP address mean?
10-29-2015 12:00 PM
That is correct. xxx.xxx.xxx.xxx is already connected but we don't know where the request from yyy.yyy.yyy.yyy is coming from.
10-29-2015 01:46 PM
If you want to know the company that owns the IP address, you can do whois to get more info.
You could also just block it on your internet router.
10-29-2015 01:51 PM
Unfortunately the PA3050 is our internet router......
Your suggestion is that I create a drop/deny rule for the IP address. Does that rule get evaluated before the IPsec connection is attempted?
10-29-2015 03:14 PM
I don't think an ACL will work for traffic destined to the untrust interface. A PBF policy might work. You can try matching the traffic and setting the policy to discard.
Or your ISP might be able to block on their upstream equipment.
10-30-2015 03:24 AM
This is harmless but annoying to see in the logs.
These messages probably mean that someone has mis-configured a VPN attempt to your address. Likely this is a left over from an old connection you had or the previous user of your ip address.
I would do the ip look and contact the owner of the ip address. then ask for the IT group and get that old VPN removed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
