- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-19-2014 05:05 AM
Hi
I configured an IPSec site to site VPN between Palo Alto Firewall and Checkpoint Firewall.
Everything works perfectly as expected, but I get constant Logs : IKE-Phase 2 negotiation failed when processing proxy ID. cannot find matching phase 2 tunnel for received proxy ID.
I have configured the proxy IDs and tunnel seems to work. But still I get the above mentioned log constantly with severity "informatikonal".
Any idea what is going wrong??
Thanks!
11-19-2014 08:33 AM
Hello Amit,
If someone tries to send traffic from a different subnet OR to a different subnet, which is not part of your PROXY ID, then the firewall will drop those packets with above mentioned messages. Since PROXY ID will not match for that traffic.
You may check ike-mgr logs to get the source/destination IP of that dropped traffic.
> less mp-log ikemgr.log
> show log system direction equal backward
You can either user Space-Bar to go down the logs or use "shift + g" to go at the bottom of the logs.
Hope this helps.
Thank you.
11-19-2014 06:20 AM
Hi Amit,
Above mentioned log should come in the event of Proxy ID mismatch, which you have already corrected.
And in this case firewall should not establish phase-2.
Are these older logs or new logs? If its new logs than make sure its for the same tunnel and not any other tunnel? If its for the same tunnel than its a strange behavior.
Regards,
Hardik Shah
11-19-2014 08:33 AM
Hello Amit,
If someone tries to send traffic from a different subnet OR to a different subnet, which is not part of your PROXY ID, then the firewall will drop those packets with above mentioned messages. Since PROXY ID will not match for that traffic.
You may check ike-mgr logs to get the source/destination IP of that dropped traffic.
> less mp-log ikemgr.log
> show log system direction equal backward
You can either user Space-Bar to go down the logs or use "shift + g" to go at the bottom of the logs.
Hope this helps.
Thank you.
11-24-2014 02:25 AM
Hi Guys,
thanks for your replies but the problem still persists. The tunnel goes down intermittently in a day. The tunnel seems to work for 80% of time in a day.
hshah - The logs above are new logs.
HULK - I tried running the command tail follow yes mp-log ikemgr.log and following was the output
====> Initiated SA: IP-ADDRESSES-HERE message id:0x42D6F11F <====
2014-11-21 11:05:19 [INTERNAL_ERR]: can't find matching selector
2014-11-21 11:05:19 [PROTO_ERR]: failed to get sainfo.
2014-11-21 11:05:19 [INTERNAL_ERR]: failed to pre-process packet.
2014-11-21 11:05:21 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
Any suggestions as to what can be going wrong? This is strange behavior!
Thanks!
11-25-2014 03:19 AM
Hi Guys
Problem was resolved. The problem was missing proxy IDs for external interfaces. Thanks for your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!