Interpret VPN Error Messages
Focus
Focus

Interpret VPN Error Messages

Table of Contents
End-of-Life (EoL)

Interpret VPN Error Messages

The following table lists some of the common VPN error messages that are logged in the system log.
Syslog Error Messages for VPN Issues
If error is this:
Try this:
IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: x.x.x.x[500]-y.y.y.y[500] cookie:84222f276c2fa2e9:0000000000000000 due to timeout.
or
IKE phase 1 negotiation is failed. Couldn’t find configuration for IKE phase-1 request for peer IP x.x.x.x[1929]
  • Verify that the public IP address for each VPN peer is accurate in the IKE Gateway configuration.
  • Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.
Received unencrypted notify payload (no proposal chosen) from IP x.x.x.x[500] to y.y.y.y[500], ignored...
or
IKE phase-1 negotiation is failed. Unable to process peer’s SA payload.
Check the IKE Crypto profile configuration to verify that the proposals on both sides have a common encryption, authentication, and DH Group proposal.
pfs group mismatched:my: 2peer: 0
or
IKE phase-2 negotiation failed when processing SA payload. No suitable proposal found in peer’s SA payload.
Check the IPSec Crypto profile configuration to verify that:
  • pfs is either enabled or disabled on both VPN peers
  • the DH Groups proposed by each peer has at least one DH Group in common
IKE phase-2 negotiation failed when processing Proxy ID. Received local id x.x.x.x/x type IPv4 address protocol 0 port 0, received remote id y.y.y.y/y type IPv4 address protocol 0 port 0.
The VPN peer on one end is using policy-based VPN. You must configure a Proxy ID on the Palo Alto Networks firewall. See Create a Proxy ID to identify the VPN peers..