VPN Works but....

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN Works but....

L2 Linker

Hi

I configured an IPSec site to site VPN between Palo Alto Firewall and Checkpoint Firewall.

Everything works perfectly as expected, but I get constant Logs : IKE-Phase 2 negotiation failed when processing proxy ID. cannot find matching phase 2 tunnel for received proxy ID.

I have configured the proxy IDs and tunnel seems to work. But still I get the above mentioned log constantly with severity "informatikonal".

Any idea what is going wrong??

Thanks!

1 accepted solution

Accepted Solutions

L7 Applicator

Hello Amit,

If someone tries to send traffic from a different subnet OR to a different subnet, which is not part of your PROXY ID, then the firewall will drop those packets with above mentioned messages.  Since PROXY ID will not match for that traffic.

You may check ike-mgr logs to get the source/destination IP of that dropped traffic.

> less mp-log ikemgr.log

> show log system direction equal backward

You can either user Space-Bar to go down the logs or use "shift + g"  to go at the bottom of the logs.

Hope this helps.

Thank you.

View solution in original post

4 REPLIES 4

L6 Presenter

Hi Amit,

Above mentioned log should come in the event of Proxy ID mismatch, which you have already corrected.

And in this case firewall should not establish phase-2. 

Are these older logs or new logs? If its new logs than make sure its for the same tunnel and not any other tunnel? If its for the same tunnel than its a strange behavior.

Regards,

Hardik Shah

L7 Applicator

Hello Amit,

If someone tries to send traffic from a different subnet OR to a different subnet, which is not part of your PROXY ID, then the firewall will drop those packets with above mentioned messages.  Since PROXY ID will not match for that traffic.

You may check ike-mgr logs to get the source/destination IP of that dropped traffic.

> less mp-log ikemgr.log

> show log system direction equal backward

You can either user Space-Bar to go down the logs or use "shift + g"  to go at the bottom of the logs.

Hope this helps.

Thank you.

L2 Linker

Hi Guys,

thanks for your replies but the problem still persists. The tunnel goes down intermittently in a day. The tunnel seems to work for 80% of time in a day.

hshah - The logs above are new logs.

HULK - I tried running the command tail follow yes mp-log ikemgr.log  and following was the output

====> Initiated SA: IP-ADDRESSES-HERE message id:0x42D6F11F <====

2014-11-21 11:05:19 [INTERNAL_ERR]: can't find matching selector

2014-11-21 11:05:19 [PROTO_ERR]: failed to get sainfo.

2014-11-21 11:05:19 [INTERNAL_ERR]: failed to pre-process packet.

2014-11-21 11:05:21 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====


Any suggestions as to what can be going wrong? This is strange behavior!


Thanks!

L2 Linker

Hi Guys

Problem was resolved. The problem was missing proxy IDs for external interfaces. Thanks for your help!

  • 1 accepted solution
  • 7243 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!