Tracking down source of ike-nego-p1-fail-common log entry

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Tracking down source of ike-nego-p1-fail-common log entry

L2 Linker

We have connected several branch offices using PA200 and PA500 with ipsec tunnels to a PA3020 at our corporate office.

 

The corporate server is registering similare errors twice every 3 seconds. The error:

IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP xxx.xxx.xxx.xxx[52402], ID ipaddr:yyy.yyy.yyy.yyy.

and

IKE phase-1 negotiation is failed. Couldn't find configuration for IKE phase-1 request for peer IP xxx.xxx.xxx.xxx[24211], ID ipaddr:yyy.yyy.yyy.yyy.

The only difference is the number in brackets following the peer IP address.

We have a remote site with an IP address of xxx.xxx.xxx.xxx but its tunnels are up and the yyy.yyy.yyy.yyy sddress cannot be found anywhere in the configurations.  The yyy.yyy.yyy.yyy IP address cannot be located in the corporate firewall either.

 

How can I determine where the request iscoming from so I can stop it?

What do the numbers in the brackets following the peer IP address mean?

 

 

6 REPLIES 6

L3 Networker

So you're saying yyy.yyy.yyy.yyy is not a part of your public IP range at your remote office?

That is correct.  xxx.xxx.xxx.xxx is already connected but we don't know where the request from yyy.yyy.yyy.yyy is coming from.

 

If you want to know the company that owns the IP address, you can do whois to get more info.

You could also just block it on your internet router.

Unfortunately the PA3050 is our internet router......

 

Your suggestion is that I create a drop/deny rule for the IP address.  Does that rule get evaluated before the IPsec connection is attempted?

I don't think an ACL will work for traffic destined to the untrust interface. A PBF policy might work. You can try matching the traffic and setting the policy to discard.

Or your ISP might be able to block on their upstream equipment.

 

L7 Applicator

This is harmless but annoying to see in the logs.

 

These messages probably mean that someone has mis-configured a VPN attempt to your address.  Likely this is a left over from an old connection you had or the previous user of your ip address.

 

I would do the ip look and contact the owner of the ip address.  then ask for the IT group and get that old VPN removed. 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 5556 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!