Network Security
Troubleshoot Your IPSec VPN Tunnel Connection
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Troubleshoot Your IPSec VPN Tunnel Connection
Where Can I Use This? | What Do I Need? |
---|---|
| No license required |
Test and troubleshoot your IPSec VPN connection for its maximum performance. Before
testing the VPN connectivity familiarize yourself with the common VPN error
messages.
The following table lists some of the common VPN error messages that are logged in
the system log.
If an error is this:
|
Try this:
|
---|---|
IKE phase-1 negotiation is failed as
initiator, main mode. Failed SA: x.x.x.x[500]-y.y.y.y[500]
cookie:84222f276c2fa2e9:0000000000000000 due to
timeout. or IKE phase
1 negotiation is failed. Couldn’t find configuration for IKE
phase-1 request for peer IP x.x.x.x[1929] |
|
Received unencrypted notify payload
(no proposal chosen) from IP x.x.x.x[500] to y.y.y.y[500],
ignored... or IKE
phase-1 negotiation is failed. Unable to process peer’s SA
payload. |
Check the IKE Crypto profile configuration to verify that the
proposals on both sides have a common encryption,
authentication, and DH Group proposal.
|
pfs group mismatched:my: 2peer:
0
or
IKE phase-2 negotiation failed when processing SA
payload. No suitable proposal found in peer’s SA
payload.
|
Check the IPSec Crypto profile configuration to verify that:
|
IKE phase-2 negotiation failed when processing
Proxy ID. Received local id x.x.x.x/x type IPv4 address
protocol 0 port 0, received remote id y.y.y.y/y type IPv4
address protocol 0 port 0.
|
The VPN peer on one end is using a policy-based VPN. You must
configure a proxy ID on the Palo Alto Networks firewall. See
Create a Proxy ID to
identify the VPN
peers.
|
Commit error: Tunnel interface tunnel.x multiple
binding limitation (xx) reached.
|
You must have reached the maximum proxy IDs supported on your
firewall. Check the maximum proxy IDs supported on your firewall
before establishing an IPSec tunnel.
We recommend you to check the maximum proxy IDs supported on your
firewall before configuring proxy IDs for the VPN peers. If you
have a use case where you want to implement an IPSec VPN tunnel
with more than the maximum proxy IDs supported on a firewall,
follow these steps:
|
Proxy ID mismatch
|
Proxy ID mismatch will
result in failure to establish the site-to-site IPSec VPN
tunnel. Therefore, configure identical Proxy IDs on both VPN
peers to establish the site-to-site IPSec VPN tunnel
successfully.
For example: In a site-to-site IPSec tunnel configuration, if one
VPN peer is configured with an IP address for a netmask of /32
and the remote VPN peer is configured with the same IP address
but with the different netmask of /16, it will result in failure
establishing the VPN tunnel.
Proxy ID for other firewall vendors are
referred to as the Access List or Access Control List
(ACL). Proxy IDs in the VPN peers should be exact mirrors of each other
(that is, be opposite), but not match.
Example proxy ID configuration for VPN peers to establish an
IPSec VPN tunnel:
If VPN firewall 1 is configured with 192.0.2.0/24 as local ID and
192.0.2.25/24 as peer ID. Then, VPN firewall 2 must be
configured with 192.0.2.25/24 as local ID and 192.0.2.0/24 as
peer ID.
|
Test VPN Connectivity
Perform this task to test VPN connectivity.
- Initiate IKE phase 1 by either pinging a host across the tunnel or using the following CLI command:
test vpn ike-sa gateway <gateway_name>
Enter the following command to test if IKE phase 1 is set up:show vpn ike-sa gateway <gateway_name>
In the output, check whether the security association displays. If it doesn’t, review the system log messages to interpret the reason for failure.Initiate IKE phase 2 by either pinging a host from across the tunnel or using the following CLI command:test vpn ipsec-sa tunnel <tunnel_name>
Enter the following command to test if IKE phase 2 is set up:show vpn ipsec-sa tunnel <tunnel_name>
In the output, check whether the security association displays. If it doesn’t, review the system log messages to interpret the reason for failure.To view the VPN traffic flow information, use the following command:show vpn flow total tunnels configured: 1 filter - type IPSec, state any total IPSec tunnel configured: 1 total IPSec tunnel shown: 1 name id state local-ip peer-ip tunnel-i/f ----------------------------------------------------------------------------------- vpn-to-siteB 5 active 100.1.1.1 200.1.1.1 tunnel.41