Hey @iamvivekms ,
I cannot agree with your statement - "we have very limited options in Paloalto in terms of troubleshooting Tunnel down issues"
It is quite the opposite:
- 1. Palo Alto is not the only vendor that does not store pre-shared key in plain text. It is actually way better to do it this way rather have it in plain text just because you lack proper documentation. Having the psk in plain-text for troubleshooting is like having your password written on sticky note on your monitor in case you forgot it...
- Palo Alto firewall provides you several ways to troubleshoot IPsec tunnel. PAN is actually my favorite vendor for IPsec troubleshooting as it has excellent document and easy to use tools/commands.
- You can check here for commands that you can use for debug/troubleshooting - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
- If you have multiple tunnels configured on your firewall it is recommended to enable tunnel debug only for specific peer - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS
- You could also be useful for you - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO
- You need to remember that the receiver of the tunnel negotiation will log the actual reason for negotiation failure. So if you want to troubleshoot the tunnel at your end (on the Palo) you can "enable passive mode" under the IKE Gateway -> Advance options. This will force your firewall to only act as receiver and never as initiator for this peer. I believe Palo Alto TAC recommend this option only during t-shoot as it will cause traffic drop if your fw receive traffic that needs to be sent over the tunnel, but it is not established yet.
Wrong PSK is the most common mistake when configuring new tunnel so my suggest in this case is:
1. Re-Enter the psk again at your end of the tunnel.
2. Re-enter the psk at remote end of the tunnel
3. Agree on new psk
