Scribd
Upload
528 views4 pages

IPSEC Troubleshooting Palo Alto 1699387222

This document provides guidance on troubleshooting IPsec VPN connectivity issues. It outlines steps to check IKE phase 1 and phase 2 negotiations including verifying identity, policy, proposals, pre-shared keys and vendor support. Useful CLI commands are provided to check IKE security associations, debug negotiations, and view logs. Additional checks include verifying firewall configuration, security policies, routing and devices performing address translations. Common error messages are interpreted with recommended resolutions such as verifying peer addresses, common proposals, pfs settings, and configuring proxy IDs.

Uploaded by

9640515164
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
528 views4 pages

IPSEC Troubleshooting Palo Alto 1699387222

This document provides guidance on troubleshooting IPsec VPN connectivity issues. It outlines steps to check IKE phase 1 and phase 2 negotiations including verifying identity, policy, proposals, pre-shared keys and vendor support. Useful CLI commands are provided to check IKE security associations, debug negotiations, and view logs. Additional checks include verifying firewall configuration, security policies, routing and devices performing address translations. Common error messages are interpreted with recommended resolutions such as verifying peer addresses, common proposals, pfs settings, and configuring proxy IDs.

Uploaded by

9640515164
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

www.nettechcloud.

com
________________________________________________________________________________________________

HOW TO TROUBLESHOOT IPSEC VPNCONNECTIVITY ISSUES

IKE Phase 1

 Rule out ISP-related issues


 Check for the responses of the "Are you there?" messages from the peer in the system logs
 Check that the IKE identity is configured correctly
 Check that the policy is in place to permit IKE and IPsec applications
 Check that proposals are correct
 Check that pre shared key is correct
 Check if vendor id of the peer is supported on the Palo Alto Networks device

Useful CLI commands:

> show vpn ike-sa gateway <name>


> test vpn ike-sa gateway <name>
> debug ike stat
> debug ike global on debug
> less mp-log ikemgr.log

IKE Phase 2

 Check if the firewalls are negotiating the tunnels, and ensure that 2unidirectional SPIs exist:
> show vpn ipsec-sa
> show vpn ipsec-sa tunnel <tunnel.name>

 Check if proposals are correct. If incorrect, logs about the mismatch can be found under the
system logs under the monitor tab, or by using the following command:

> less mp-log ikemgr.log

 Check if pfs is enabled on both ends. If incorrect, logs about the mismatch can be found under the
system logs under the monitor tab, or by using the command:

> less mp-log ikemgr.log

 Check the proxy-id configuration. This is usually not required when the tunnel is between two
Palo Alto Networks firewalls, but when the peer is from another vendor, IDs usually need to be
configured. A mismatch would be indicated under the system logs, or by using the command:

> less mp-log ikemgr.log

 Useful CLI commands:

www.nettechcloud.com | sales@nettechcloud.com
> show vpn flow name <tunnel.id/tunnel.name>

> show vpn flow name <tunnel.id/tunnel.name> | match bytes

 Check if encapsulation and decapsulation bytes are increasing. If the firewall is passing traffic,
then both values should be increasing.

> show vpn flow name <tunnel.id/tunnel.name> | match bytes

 If encapsulation bytes are increasing and decapsulation is constant, then the firewall is
sending but not receiving packets.
 Check to see if a policy is dropping the traffic or if a port translating device in front of PAN that
might be dropping the ESP packets.

> show vpn flow name <tunnel.id/tunnel.name> | match bytes

 If decapsulation bytes are increasing and encapsulation is constant, then the firewall is receiving
but not transmitting packets.
 Check to see if a policy is dropping the traffic:

Advanced CLI Commands:


> debug ike global on debug
> less mp-log ikemgr.log
> debug ike pcap on
> view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap
> debug ike pcap off

If tunnels are up but traffic is not passing through the tunnel:

 Check security policy and routing.


 Check for any devices upstream that perform port-and-address-translations. Because ESP is a
layer 3 protocol, ESP packets do not have port numbers. When such devices receive ESP packets,
there is a high possibility they may silently drop them, because they do not see the port numbers
to translate.
 Apply debug packet filters, captures or logs, if necessary, to isolate the issue where the traffic is
getting dropped.

www.nettechcloud.com | sales@nettechcloud.com
Interpret VPN Error Messages
IF ERROR IS THIS

ERROR 1: IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: x.x.x.x [500]-
y.y.y.y[500]cookie:84222f276c2fa2e9:0000000000000000due to timeout.

OR

ERROR 2: IKE phase 1 negotiation is failed. Couldn’t find configuration for IKE phase-1 request for peer
IP x.x.x.x [1929]

RESOLUTION

- Verify that the public IP address for each VPN peer is accurate in the IKE Gateway configuration

-Verify that the IP addresses can be pinged and that routing issues are not causing the connection
failure

ERROR 3: Received unencrypted notify payload (no proposal chosen)from IP x.x.x.x[500] to


y.y.y.y[500], ignored..

OR

ERROR 4: Received unencrypted notify payload (no proposal chosen) from IP x.x.x.x[500] to
y.y.y.y[500], ignored..

RESOLUTION

-Check the IKE Crypto profile configuration to verify that the proposals on both sides have a common
encryption, authentication, and DH Group proposal

-Check the IKE Crypto profile configuration to verify that the proposals on both sides have a common
encryption, authentication, and DH Group proposal

ERROR 5: pfs group mismatched: my: 2peer:0

OR

ERROR 6: IKE phase-2 negotiation failed when processing SA payload. No suitable proposal found in
peer’s SA payload

RESOLUTION

- Check the IPsec Crypto profile configuration to verify that:

www.nettechcloud.com | sales@nettechcloud.com
 pfs is either enabled or disabled on both VPN peers
 the DH Groups proposed by each peer has at least one DH Group in common

ERROR 7: IKE phase-2 negotiation failed when processing Proxy ID. Received local id x.x.x.x/x type
IPv4 address protocol 0port 0, received remote id y.y.y.y/y type IPv4 address protocol 0 port 0.

RESOLUTION

The VPN peer on one end is using policy-based VPN. You must configure a Proxy ID on the Palo Alto
Networks firewall

You can Buy Complete Palo Alto Firewall Troubleshooting Course (Recorded Videos with Practical
demonstration) from

https://nettechcloud.com/courses/troubleshooting-palo-alto-firewall-panos-10/?tab=tab-overview

www.nettechcloud.com | sales@nettechcloud.com

You might also like