This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VPN Phase 2 Tunnel stuck

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN Phase 2 Tunnel stuck

ISG-JHAH
L0 Member

‎01-05-2023 02:45 PM - edited ‎01-05-2023 02:47 PM

Hi,

We have multiple S2S VPN with many vendors but facing issue with Fortinet. 

 

On our side we observe Phase 2 tunnel is up and packets are going out through Tunnel interface but no reply. Other party saying no issue on their end but once we restart that Phase 2 Proxy id, it starts working.

Just to inform you that we have multiple Proxy ids. all Proxy ids Tunnels comes up different time and face issue at different time so need to restart only that proxy id tunnel.

Kindly let me know how to troubleshoot it either issue is at our end or their end.

0 Likes Likes
3 REPLIES 3

nikoolayy1
L6 Presenter

‎01-07-2023 09:27 AM - edited ‎01-07-2023 09:28 AM

Just make your Palo Alto the VPN responder so you can see more details in the GUI System logs:

 

How to make Palo Alto Networks firewalls Responder-only in an IPSec tunnel

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0

 

 

Also maybe the other  firewall is using policy based VPN:

 

Proxy-ID for VPNs Between Palo Alto Networks and Firewalls with Policy-based VPNs

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK

0 Likes Likes

Arnesh
L2 Linker

‎01-08-2023 10:59 PM

Hi @ISG-JHAH 

 

Are you checking the status of the IPSec from GUI? The status of the Phase-2 will stay UP (Green on GUI) as long as even 1 proxy ID is UP among all in Phase-2 tunnels.
Please check if the status of the proxy-ID is indeed UP? To check the status, run the below command from the CLI.

 

show vpn tunnel name <name-of-proxy-id>
You will get information like LOCAL PROXY ID, REMOTE PROXY ID, ports etc in output.

 

The VPN logs generated as responder gives more information as suggested by
You can review the system logs and ikemgr logs, during the issue time frame.

 

You can also refer to the below KBs:

How to Troubleshoot IPSec VPN connectivity issues 

IKEv1 VPN error logs - Troubleshooting 

IPSec and Tunneling Resource list on Configuring and Troubleshooting 

 

Regards,

nikoolayy1
L6 Presenter
In response to Arnesh

‎01-09-2023 09:30 AM

Yes as @Arnesh mentioned if needed enable debug for extra info. This is also a usefull link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS

0 Likes Likes
  • 1364 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks