IPsec Tunnel Down!

soorajpmenon5 · ‎08-04-2024

Hi Team,

I'm not very familiar with the Palo Alto firewall, and I've been checking the IPsec connection between PA850 at my sites. I'm encountering issues with the IPsec tunnel, which is not coming up. I tried establishing IPsec using the IP used for BGP peering, and it established without any problems. However, the problem arises when I use my own public IP configured on interface ae1.150. My public IPs are accessible on the internet and between the sites.

I've attached a screenshot showing the rules I used and the interface configuration for site1. The way I configured the interface and security rules is the same as in site2.

Can you identify any issues with my configuration? I believe that interzone communication will be okay with the way I configured the policies. Any suggestions will be highly appreciated.

Thanks!

laurence64 · ‎08-05-2024

Hi

Have you checked the system logs? if you use the filter ( subtype eq 'vpn' ) you should see the logs associated with the VPN's they are usually quite good at identifying the cause.

PCCSA PCNSA PCNSE PCSAE

soorajpmenon5 · ‎08-05-2024

Hello Laurence,

Thanks for the suggestion, please find the logs below, IKE versions are the same on both ends.

2024/08/04 12:09:45 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:09:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:11:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:12:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:13:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:14:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:15:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:16:57 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:00 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:17:00 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:17:01 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:03 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:17:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:31 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:39 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:19:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:19:31 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2024/08/04 12:20:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:21:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:22:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:23:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:07 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:24:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:19 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:24:19 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:24:19 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:23 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:50:32 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:52 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:57:39 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 14:57:39 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:57:42 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:55 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:04:55 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:59 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:15 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:12:15 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:17 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:32 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:19:32 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:36 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:51 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:26:51 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:54 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:09 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:34:09 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:12 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:27 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:41:27 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:30 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:45 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:48:45 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:47 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:d67aa6842feaf357:0000000000000000.
2024/08/04 15:49:38 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 15:50:23 info vpn S2SVPN ikev2-s 0 IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x9694DFA3.
2024/08/04 15:50:23 info vpn S2SVPN ipsec-k 0 IPSec key deleted. Deleted SA: 102.218.33.3[500]-102.218.31.3[500] SPI:0x00000000/0x00000000.

Thanks!

soorajpmenon5 · ‎08-05-2024

Hi Laurence,

Thanks for the suggestion, i have checked the logs and there is error came related to IKE mismatch. But i already confirmed that the IKE versions are using same on bot sites (IKEV2). Please find the logs below,

2024/08/04 12:09:45 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:09:54 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:10:14 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:10:54 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:11:54 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:12:54 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:13:54 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:14:54 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:15:54 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:16:57 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:17:00 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 12:17:00 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:17:01 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:17:03 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:17:11 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:17:31 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:18:11 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:18:39 info     vpn            ike-con 0  IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:19:11 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:19:31 info     vpn            ike-con 0  IKE daemon configuration load phase-2 succeeded.
2024/08/04 12:20:11 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:21:11 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:22:11 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:23:11 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:24:07 info     vpn            ike-con 0  IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:24:14 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 12:24:19 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 12:24:19 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:24:19 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 14:50:23 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:50:32 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 14:50:52 info     vpn            ike-gen 0  unknown ikev2 peer
2024/08/04 14:57:39 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 14:57:39 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:57:42 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:55 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 15:04:55 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:59 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:15 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 15:12:15 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:17 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:32 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 15:19:32 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:36 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:51 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 15:26:51 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:54 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:09 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 15:34:09 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:12 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:27 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 15:41:27 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:30 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:45 info     vpn            ike-gen 0  retransmission count exceeded the limit
2024/08/04 15:48:45 info     vpn     S2SVPN ikev2-n 0  Deleting a possible stale IKEv2 child SA. SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:47 info     vpn     S2SVPN ikev2-n 0  IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:d67aa6842feaf357:0000000000000000.
2024/08/04 15:49:38 info     vpn            ike-con 0  IKE daemon configuration load phase-1 succeeded.
2024/08/04 15:50:23 info     vpn     S2SVPN ikev2-s 0  IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x9694DFA3.
2024/08/04 15:50:23 info     vpn     S2SVPN ipsec-k 0  IPSec key deleted. Deleted SA: 102.218.33.3[500]-102.218.31.3[500] SPI:0x00000000/0x00000000.

Thanks!

soorajpmenon5 · ‎08-05-2024

Hi Laurence,

Thanks for the suggestion and i have checked the logs and there is some IKE version mismatch logs are comming, but on both site it uses the same versions(IKEv2). Please find the attached Logs file. Appreciate your response!.

----------

2024/08/04 12:09:45 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:09:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:11:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:12:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:13:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:14:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:15:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:16:57 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:00 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:17:00 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:17:01 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:03 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:17:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:31 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:39 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:19:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:19:31 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2024/08/04 12:20:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:21:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:22:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:23:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:07 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:24:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:19 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:24:19 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:24:19 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:23 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:50:32 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:52 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:57:39 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 14:57:39 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:57:42 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:55 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:04:55 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:59 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:15 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:12:15 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:17 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:32 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:19:32 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:36 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:51 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:26:51 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:54 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:09 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:34:09 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:12 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:27 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:41:27 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:30 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:45 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:48:45 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:47 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:d67aa6842feaf357:0000000000000000.
2024/08/04 15:49:38 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 15:50:23 info vpn S2SVPN ikev2-s 0 IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x9694DFA3.
2024/08/04 15:50:23 info vpn S2SVPN ipsec-k 0 IPSec key deleted. Deleted SA: 102.218.33.3[500]-102.218.31.3[500] SPI:0x00000000/0x00000000.
----------

Thanks!

soorajpmenon5 · ‎08-05-2024

Hi Laurence,

I have checked the logs and it shows IKE mismatch, but i have confirmed both ends its has the same version.

2024/08/04 12:17:03 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:17:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:31 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:39 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:19:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:19:31 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2024/08/04 12:20:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:21:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:22:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:23:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:07 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:24:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:19 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:24:19 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:24:19 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:23 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:50:32 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:52 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:57:39 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 14:57:39 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:57:42 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:55 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:04:55 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:59 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:4797b405643e9da3:0000000000000000.

Thanks!

zGomez · ‎08-09-2024

You can follow the below article on troubleshooting ipsec vpn issues.

How to Troubleshoot IPSec VPN connectivity issues - Knowledge Base - Palo Alto Networks

This should help you identify why the vpn is not beeing established

zGomez · ‎08-13-2024

Are you sure you are not dropping any traffic on you firewall. I am seeing retransmission count exceeded limit.
This could indicate you are dropping ike,ipsec esp traffic?

Can you take packet capture on the firewall or use global counters to identify if this is the case.

You can also change you settings to IKEv2 prefered then it will fall back to IKEv1 is needed.

laurence64 · ‎08-16-2024

Hi,

Sorry it has taken a while to reply it does look as though there is a connectivity issue between peers or no response, if you turn up the logging level you may see more, obviously only do this if you accept that there may be a performance hit, you can use the command >debug ike tunnel <tunnel name> on debug or for the debug level of the gateway just replace tunnel <tunnel name> with gateway keyword and <gateway name>

I would also suggest using the following >tail follow yes lines 30 mp-log ikemgr.log while the connection is establishing to see what is a happening in real time,

Once you have finished return the two debug levels to normal using >debug ike tunnel <tunnel name> on normal and doing the same for the gateway to clear up.

PCCSA PCNSA PCNSE PCSAE

Edsnow · ‎08-17-2024

Verify the peer to peer reachablity and verify there is a session established for port 500. for the peer and local device public ip.

Also verify is there any security policy has been blocked the phase 1 traffic.

Unlock your full community experience!

IPsec Tunnel Down!

IPsec Tunnel Down!

Show your appreciation!