- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-04-2024 02:44 PM
Hi Team,
I'm not very familiar with the Palo Alto firewall, and I've been checking the IPsec connection between PA850 at my sites. I'm encountering issues with the IPsec tunnel, which is not coming up. I tried establishing IPsec using the IP used for BGP peering, and it established without any problems. However, the problem arises when I use my own public IP configured on interface ae1.150. My public IPs are accessible on the internet and between the sites.
I've attached a screenshot showing the rules I used and the interface configuration for site1. The way I configured the interface and security rules is the same as in site2.
Can you identify any issues with my configuration? I believe that interzone communication will be okay with the way I configured the policies. Any suggestions will be highly appreciated.
Thanks!
08-05-2024 02:58 AM
Hi
Have you checked the system logs? if you use the filter ( subtype eq 'vpn' ) you should see the logs associated with the VPN's they are usually quite good at identifying the cause.
08-05-2024 04:45 AM
Hello Laurence,
Thanks for the suggestion, please find the logs below, IKE versions are the same on both ends.
2024/08/04 12:09:45 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:09:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:11:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:12:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:13:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:14:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:15:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:16:57 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:00 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:17:00 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:17:01 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:03 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:17:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:31 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:39 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:19:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:19:31 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2024/08/04 12:20:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:21:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:22:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:23:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:07 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:24:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:19 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:24:19 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:24:19 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:23 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:50:32 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:52 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:57:39 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 14:57:39 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:57:42 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:55 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:04:55 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:59 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:15 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:12:15 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:17 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:32 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:19:32 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:36 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:51 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:26:51 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:54 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:09 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:34:09 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:12 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:27 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:41:27 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:30 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:45 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:48:45 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:47 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:d67aa6842feaf357:0000000000000000.
2024/08/04 15:49:38 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 15:50:23 info vpn S2SVPN ikev2-s 0 IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x9694DFA3.
2024/08/04 15:50:23 info vpn S2SVPN ipsec-k 0 IPSec key deleted. Deleted SA: 102.218.33.3[500]-102.218.31.3[500] SPI:0x00000000/0x00000000.
Thanks!
08-05-2024 07:19 AM
Hi Laurence,
Thanks for the suggestion, i have checked the logs and there is error came related to IKE mismatch. But i already confirmed that the IKE versions are using same on bot sites (IKEV2). Please find the logs below,
2024/08/04 12:09:45 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:09:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:11:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:12:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:13:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:14:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:15:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:16:57 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:00 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:17:00 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:17:01 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:03 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:17:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:31 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:39 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:19:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:19:31 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2024/08/04 12:20:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:21:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:22:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:23:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:07 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:24:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:19 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:24:19 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:24:19 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:23 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:50:32 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:52 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:57:39 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 14:57:39 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:57:42 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:55 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:04:55 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:59 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:15 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:12:15 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:17 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:32 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:19:32 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:36 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:51 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:26:51 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:54 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:09 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:34:09 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:12 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:27 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:41:27 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:30 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:45 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:48:45 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:47 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:d67aa6842feaf357:0000000000000000.
2024/08/04 15:49:38 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 15:50:23 info vpn S2SVPN ikev2-s 0 IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x9694DFA3.
2024/08/04 15:50:23 info vpn S2SVPN ipsec-k 0 IPSec key deleted. Deleted SA: 102.218.33.3[500]-102.218.31.3[500] SPI:0x00000000/0x00000000.
Thanks!
08-05-2024 07:25 AM
Hi Laurence,
Thanks for the suggestion and i have checked the logs and there is some IKE version mismatch logs are comming, but on both site it uses the same versions(IKEv2). Please find the attached Logs file. Appreciate your response!.
----------
2024/08/04 12:09:45 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:09:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:10:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:11:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:12:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:13:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:14:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:15:54 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:16:57 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:00 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:17:00 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:778bc0793434d002:0000000000000000.
2024/08/04 12:17:01 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:03 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:17:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:31 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:39 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:19:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:19:31 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2024/08/04 12:20:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:21:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:22:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:23:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:07 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:24:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:19 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:24:19 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:24:19 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:23 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:50:32 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:52 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:57:39 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 14:57:39 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:57:42 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:55 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:04:55 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:59 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:15 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:12:15 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:4797b405643e9da3:0000000000000000.
2024/08/04 15:12:17 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:32 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:19:32 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:89e5c77c49e05986:0000000000000000.
2024/08/04 15:19:36 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:51 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:26:51 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:34281788f71357b3:0000000000000000.
2024/08/04 15:26:54 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:09 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:34:09 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:b6ada6393bea188d:0000000000000000.
2024/08/04 15:34:12 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:27 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:41:27 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:30eccc21cac7912f:0000000000000000.
2024/08/04 15:41:30 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500]SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:45 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:48:45 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:443e5608e54c46da:0000000000000000.
2024/08/04 15:48:47 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:d67aa6842feaf357:0000000000000000.
2024/08/04 15:49:38 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 15:50:23 info vpn S2SVPN ikev2-s 0 IKEv2 IPSec SA delete message sent to peer. Protocol:ESP, SPI:0x9694DFA3.
2024/08/04 15:50:23 info vpn S2SVPN ipsec-k 0 IPSec key deleted. Deleted SA: 102.218.33.3[500]-102.218.31.3[500] SPI:0x00000000/0x00000000.
----------
Thanks!
08-05-2024 09:23 AM
Hi Laurence,
I have checked the logs and it shows IKE mismatch, but i have confirmed both ends its has the same version.
2024/08/04 12:17:03 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:17:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:17:31 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:18:39 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:19:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:19:31 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded.
2024/08/04 12:20:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:21:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:22:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:23:11 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:07 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded.
2024/08/04 12:24:14 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 12:24:19 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 12:24:19 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:c2d454bd20682a71:0000000000000000.
2024/08/04 12:24:19 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:23 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:50:32 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:50:52 info vpn ike-gen 0 unknown ikev2 peer
2024/08/04 14:57:39 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 14:57:39 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:1e96ac2510547e8c:0000000000000000.
2024/08/04 14:57:42 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:55 info vpn ike-gen 0 retransmission count exceeded the limit
2024/08/04 15:04:55 info vpn S2SVPN ikev2-n 0 Deleting a possible stale IKEv2 child SA. SPI:330071f82f7dfbee:0000000000000000.
2024/08/04 15:04:59 info vpn S2SVPN ikev2-n 0 IKEv2 IKE SA negotiation is started as initiator, non-rekey. Initiated SA: 102.218.33.3[500]-102.218.31.3[500] SPI:4797b405643e9da3:0000000000000000.
Thanks!
08-09-2024 01:21 AM - edited 08-09-2024 01:21 AM
You can follow the below article on troubleshooting ipsec vpn issues.
How to Troubleshoot IPSec VPN connectivity issues - Knowledge Base - Palo Alto Networks
This should help you identify why the vpn is not beeing established
08-13-2024 02:21 AM
Are you sure you are not dropping any traffic on you firewall. I am seeing retransmission count exceeded limit.
This could indicate you are dropping ike,ipsec esp traffic?
Can you take packet capture on the firewall or use global counters to identify if this is the case.
You can also change you settings to IKEv2 prefered then it will fall back to IKEv1 is needed.
08-16-2024 05:50 AM
Hi,
Sorry it has taken a while to reply it does look as though there is a connectivity issue between peers or no response, if you turn up the logging level you may see more, obviously only do this if you accept that there may be a performance hit, you can use the command >debug ike tunnel <tunnel name> on debug or for the debug level of the gateway just replace tunnel <tunnel name> with gateway keyword and <gateway name>
I would also suggest using the following >tail follow yes lines 30 mp-log ikemgr.log while the connection is establishing to see what is a happening in real time,
Once you have finished return the two debug levels to normal using >debug ike tunnel <tunnel name> on normal and doing the same for the gateway to clear up.
08-17-2024 01:05 AM
Verify the peer to peer reachablity and verify there is a session established for port 500. for the peer and local device public ip.
Also verify is there any security policy has been blocked the phase 1 traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!