cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

Update to 8.0.6 appears to have broken IPSec tunnel connections

L0 Member

Since our PA updated we've had a problem with one IPSec Tunnel not routing correctly. It appears to relate to just one Proxy ID but I've checked all and they're exactly the same as the PFSense box we're connecting to. Everything was fine until the update to 8.0.6.

 

I've followed this KB...

 

https://live.paloaltonetworks.com/t5/Management-Articles/IPSec-VPN-Error-IKE-Phase-2-Negotiation-is-...

 

..but both ProxyIDs are perfect. The message we're getting is..


IKEv2 child SA negotiation is failed as initiator, non-rekey. Failed SA: (LOCAL IP)[500]-(DEST IP)[500] message id:0x000021F0. Error code 19


If I head into "tail follow yes mp-log ikemgr.log" I get ....


2018-05-08 15:20:26.680 +0100 [PERR]: { 6: }: received Notify payload protocol 0 type TS_UNACCEPTABLE
2018-05-08 15:20:26.680 +0100 [PNTF]: { 6: }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway IKE-Harrogate <====
====> Failed SA: (LOCAL IP)[500]-(REMOTE IP)[500] message id:0x00001B7C parent SN:1450 <==== Error code 19
2018-05-08 15:20:27.793 +0100 [PWRN]: { 6: }: 38 is not a child notify type
2018-05-08 15:20:27.793 +0100 [PERR]: { 6: }: received Notify payload protocol 0 type TS_UNACCEPTABLE
2018-05-08 15:20:27.793 +0100 [PNTF]: { 6: }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway IKE-Harrogate <====
====> Failed SA: (LOCAL IP)[500]-(REMOTE IP)[500] message id:0x00001B7D parent SN:1450 <==== Error code 19
2018-05-08 15:20:27.959 +0100 [PWRN]: { 6: }: 38 is not a child notify type
2018-05-08 15:20:27.959 +0100 [PERR]: { 6: }: received Notify payload protocol 0 type TS_UNACCEPTABLE
2018-05-08 15:20:27.959 +0100 [PNTF]: { 6: }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway IKE-Harrogate <====
====> Failed SA: (LOCAL IP)[500]-(REMOTE IP)[500] message id:0x00001B7E parent SN:1450 <==== Error code 19
2018-05-08 15:20:30.758 +0100 [PWRN]: { 6: }: 38 is not a child notify type

Anyone know what I'm doing wrong here?

 

Here's the debug logs...

 

2018-05-08 16:15:05.430 +0100  [DEBG]: ===
2018-05-08 16:15:05.430 +0100  [DEBG]: 76 bytes message received from (DEST IP)[500]
2018-05-08 16:15:05.430 +0100  [DEBG]: {    6:     }: response exch type 36
2018-05-08 16:15:05.430 +0100  [DEBG]: {    6:     }: update response message_id 0x235d
2018-05-08 16:15:05.430 +0100  [DEBG]: {    6:     }: received notify type TS_UNACCEPTABLE
2018-05-08 16:15:05.430 +0100  [DEBG]: {    6:     }: ikev2_process_child_notify(0x14b8230, 0x7f6b037d8c10), notify type TS_UNACCEPTABLE
2018-05-08 16:15:05.430 +0100  [PWRN]: {    6:     }: 38 is not a child notify type
2018-05-08 16:15:05.430 +0100  [PERR]: {    6:     }: received Notify payload protocol 0 type TS_UNACCEPTABLE
2018-05-08 16:15:05.430 +0100  [PNTF]: {    6:     }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway IKE-Harrogate <====
                                                      ====> Failed SA: (LOCAL IP)[500]-(DEST IP)[500] message id:0x0000235D parent SN:1450 <==== Error code 19
2018-05-08 16:15:06.614 +0100  [DEBG]: processing isakmp packet
2018-05-08 16:15:06.614 +0100  [DEBG]: ===

 

 

Who Me Too'd this topic