Troubleshoot Your IPSec VPN Tunnel Connection
Focus
Focus
Network Security

Troubleshoot Your IPSec VPN Tunnel Connection

Table of Contents

Troubleshoot Your IPSec VPN Tunnel Connection

Where Can I Use This?What Do I Need?
  • PAN-OS
No license required
Test and troubleshoot your IPSec VPN connection for its maximum performance. Before testing the VPN connectivity familiarize yourself with the common VPN error messages.
The following table lists some of the common VPN error messages that are logged in the system log.
Syslog Error Messages for VPN Issues
If an error is this:
Try this:
IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: x.x.x.x[500]-y.y.y.y[500] cookie:84222f276c2fa2e9:0000000000000000 due to timeout.
or
IKE phase 1 negotiation is failed. Couldn’t find configuration for IKE phase-1 request for peer IP x.x.x.x[1929]
  • Verify that the public IP address for each VPN peer is accurate in the IKE Gateway configuration.
  • Verify that the IP addresses can be pinged and that routing issues aren’t causing the connection failure.
Received unencrypted notify payload (no proposal chosen) from IP x.x.x.x[500] to y.y.y.y[500], ignored...
or
IKE phase-1 negotiation is failed. Unable to process peer’s SA payload.
Check the IKE Crypto profile configuration to verify that the proposals on both sides have a common encryption, authentication, and DH Group proposal.
pfs group mismatched:my: 2peer: 0
or
IKE phase-2 negotiation failed when processing SA payload. No suitable proposal found in peer’s SA payload.
Check the IPSec Crypto profile configuration to verify that:
  • PFS is either enabled or disabled on both VPN peers
  • the DH Groups proposed by each peer has at least one DH Group in common
IKE phase-2 negotiation failed when processing Proxy ID. Received local id x.x.x.x/x type IPv4 address protocol 0 port 0, received remote id y.y.y.y/y type IPv4 address protocol 0 port 0.
The VPN peer on one end is using a policy-based VPN. You must configure a proxy ID on the Palo Alto Networks firewall. See Create a Proxy ID to identify the VPN peers.
Commit error: Tunnel interface tunnel.x multiple binding limitation (xx) reached.
You must have reached the maximum proxy IDs supported on your firewall. Check the maximum proxy IDs supported on your firewall before establishing an IPSec tunnel.
We recommend you to check the maximum proxy IDs supported on your firewall before configuring proxy IDs for the VPN peers. If you have a use case where you want to implement an IPSec VPN tunnel with more than the maximum proxy IDs supported on a firewall, follow these steps:
  • Configure another tunnel with the same phase 1 and phase 2 configuration.
  • SuperNet the IP address for the proxy IDs. For example, instead of using 10.1.0.0/16, 10.2.0.0/16, supernet the range to 10.0.0.0/8 for avoiding multiple entries.
Proxy ID mismatch
Proxy ID mismatch will result in failure to establish the site-to-site IPSec VPN tunnel. Therefore, configure identical Proxy IDs on both VPN peers to establish the site-to-site IPSec VPN tunnel successfully.
For example: In a site-to-site IPSec tunnel configuration, if one VPN peer is configured with an IP address for a netmask of /32 and the remote VPN peer is configured with the same IP address but with the different netmask of /16, it will result in failure establishing the VPN tunnel.
Proxy ID for other firewall vendors are referred to as the Access List or Access Control List (ACL).
Proxy IDs in the VPN peers should be exact mirrors of each other (that is, be opposite), but not match.
Example proxy ID configuration for VPN peers to establish an IPSec VPN tunnel:
If VPN firewall 1 is configured with 192.0.2.0/24 as local ID and 192.0.2.25/24 as peer ID. Then, VPN firewall 2 must be configured with 192.0.2.25/24 as local ID and 192.0.2.0/24 as peer ID.

Test VPN Connectivity

Perform this task to test VPN connectivity.
  1. Initiate IKE phase 1 by either pinging a host across the tunnel or using the following CLI command:
    test vpn ike-sa gateway <gateway_name>
  2. Enter the following command to test if IKE phase 1 is set up:
    show vpn ike-sa gateway <gateway_name>
    In the output, check whether the security association displays. If it doesn’t, review the system log messages to interpret the reason for failure.
  3. Initiate IKE phase 2 by either pinging a host from across the tunnel or using the following CLI command:
    test vpn ipsec-sa tunnel <tunnel_name>
  4. Enter the following command to test if IKE phase 2 is set up:
    show vpn ipsec-sa tunnel <tunnel_name>
    In the output, check whether the security association displays. If it doesn’t, review the system log messages to interpret the reason for failure.
  5. To view the VPN traffic flow information, use the following command:
    show vpn flow 
    total tunnels configured: 		            1 
    filter - type IPSec, state any 
     
    total IPSec tunnel configured:        1 
    total IPSec tunnel shown:                1 
     
    name                    id      state      local-ip       peer-ip       tunnel-i/f 
    ----------------------------------------------------------------------------------- 
    vpn-to-siteB       5       active    100.1.1.1     200.1.1.1     tunnel.41