112158
Created On08/08/22 19:10 PM - Last Modified10/30/23 21:43 PM
Objective
To resolve mismatches and/or misconfigurations for an IPSec VPN Tunnel Environment
- PAN-OS
- Palo Alto Networks firewall configured with IPSec VPN Tunnel
Procedure
- If you see the System Log "<IKEGateway> unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"
- Go toNetwork > IKE Crypto Profile > Encryptionand verify theEncryptionalgorithm for Phase 1 is set to the same as the VPN peer's
- Go toNetwork > IKE Crypto Profile > Authenticationand verify the Authenticationalgorithm for Phase 1 is set to the same as the VPN peer's
- Go toNetwork > IKE Crypto Profile > DH Groupand verify theDH Groupalgorithm for Phase 1 is set to the same as the VPN peer's
- If you see the System Log "received notify type NO_PROPOSAL_CHOSEN" and/or "message lacks IDr payload"
- Go toNetwork > IPSec Crypto Profile > Encryptionand verify the Encryptionalgorithm for Phase 2 is set to the same as the VPN peer's
- Go toNetwork > IPSec Crypto Profile > Authenticationand verify the Authenticationalgorithm for Phase 2 is set to the same as the VPN peer's
- If you see the System Log "IKEv2 child SA negotiation is failed received KE type %d, expected %d"
- Go toNetwork > IPSec Crypto Profile > DH Groupand verify the DH Groupalgorithm for Phase 2 is set to the same as the VPN peer's
- If you see the System Log "IKEv2 SA negotiation is failed likely due to pre-shared key mismatch" or "IKE protocol notification message received: received notify type AUTHENTICATION_FAILED"
- Go toNetwork > IKE Gateway > edit IKE Gateway > Pre-shared Keyand verify the Pre-shared Keyis set to the exact same as the VPN peer's pre-shared key
- If you see the System Log "IKE protocol notification message received: received notify type TS_UNACCEPTABLE" or "IKEv2 child SA negotiation failed when processing traffic selector. cannot find matching IPSec tunnel for received traffic selector"
- Go toNetwork > IPSec Tunnels > edit IPSec Tunnel > Proxy IDsand verify that each Proxy ID entry is an exact mirror (opposite) of the Proxy ID entry on the VPN peer
Note: Proxy IDs are also known as 'Traffic Selectors'
Additional Information
In most cases, the following quick 4-step process can help you identify, diagnose, and troubleshoot/resolve any IPSec VPN Tunnel issue:- Navigate to Monitor > System Logs- look for error(s) related to IKE, IPSec, or VPN
- From the CLI, type > less mp-log ikemgr.log - look for specific error(s) related to the failure
- Use CLI show commands- look for the error or misconfiguration
- Navigate toMonitor > Packet Capture- take a pcap filtered by UDP 500 for the two VPN peer IP's, download and open them in Wireshark, and review the UDP 500 packets to see what parameters are being negotiated - identify the mismatch or incorrect configuration from there
Also check HOW TO TROUBLESHOOT IPSEC VPN CONNECTIVITY ISSUES
If your case doesn't match the mentioned cases in this article then refer toResource List:IPSec Configuring and Troubleshootingor contact our technical support team.
FAQs
Run the show security ipsec security-associations command and locate the gateway address of the VPN. If the remote gateway is not displayed, then the VPN SA is not active. For more information about SA, see KB10090.
How to troubleshoot if an IPsec tunnel is down? ›
Run the show security ipsec security-associations command and locate the gateway address of the VPN. If the remote gateway is not displayed, then the VPN SA is not active. For more information about SA, see KB10090.
What is the reason for VPN tunnel down? ›
Common reasons for AWS VPN tunnel inactivity or instability on a customer gateway device include the following: Problems with Internet Protocol Security (IPsec) dead peer detection (DPD) monitoring. Idle timeouts due to low traffic on a VPN tunnel or vendor-specific customer gateway configuration issues.
How to test an IPsec tunnel? ›
The easiest test for an IPsec tunnel is a ping from one client station behind the firewall to another on the opposite side. If that works, the tunnel is up and working properly.
How do I check my IPsec tunnel status? ›
To view status information about active IPsec tunnels, use the show ipsec tunnel command. This command prints status output for all IPsec tunnels, and it also supports printing tunnel information individually by providing the tunnel ID.
How do I reset my IPSec tunnel? ›
- Select. Network. IPSec Tunnels. and select the tunnel you want to refresh or restart.
- In the row for that tunnel, under the Status column, click. Tunnel Info. .
- At the bottom of the Tunnel Info screen, click the action you want: Refresh. —Updates the onscreen statistics. Restart.
Table of Contents
- Solution 1. Restart the computer.
- Solution 2. Check the Internet connection.
- Solution 3. Connect to a regular server.
- Method 4. Disable the firewall/antivirus software.
- Solution 5. Change the VPN connection method.
- Solution 6. Change the default DNS server.
- Solution 7. Flush the DNS Cache.
- Solution 8.
How to fix VPN connection issues
- Disconnect and reconnect to your Wi-Fi network.
- Restart your router.
- Check your router's ethernet cable to see if it is connected or damaged.
- Contact your internet service provider (ISP) if you still need help restoring your connection.
That's where a VPN kill switch comes in. If your VPN drops, the kill switch disables all internet traffic and also prevents any data from leaving your device unprotected.
How do you detect a VPN tunnel? ›
There are plenty of IP address check tools that detail the IP address location. If you know someone to be based in a specific location but the IP address location is different, it's likely they're using a VPN. You can also use IP address checkers to see the ISP.
Review Software and Firmware Versions. Ensure that the VPN devices are running up-to-date firmware or software. Bug fixes in newer versions can resolve many IPSec issues. Check the release notes to identify any resolved issues and new features that could improve your VPN's performance and security.
How do you verify a VPN tunnel? ›
To verify that your VPN tunnel is working properly, it is necessary to ping the IP address of a computer on the remote network. By pinging the remote network, you send data packets to the remote network and the remote network replies that it has received the data packets.
How do I monitor IPsec? ›
Monitor Your IPSec VPN Tunnel
- Create a Security Policy Rule.
- Track Rules Within a Rulebase.
- Enforce Security Rule Description, Tag, and Audit Comment.
- Move or Clone a Security Rule or Object to a Different Virtual System.
- Test Security Rules.
There are two methods which can make the firewall attempt to keep a non-mobile IPsec tunnel up and active at all times: automatic ping and periodic check. These options are available in the settings for each IPsec phase 2 entry. See Keep Alive for additional details on these settings.
How do I access IPsec tunnel? ›
Users can access an IPsec VPN by logging into a VPN application, or "client." This typically requires the user to have installed the application on their device. VPN logins are usually password-based.
What ports does IPsec VPN use? ›
Ports Used for IPSec
| Destination Port | Protocol |
|---|
| 500 | UDP |
| 4500 | UDP |
| 4510 | UDP |
| 4511 | UDP |
Cisco ASA IPsec VPN Troubleshooting Command — VPN Up time, Crypto,Ipsec, vpn-sessiondb, Crypto map and AM_ACTIVE
- show vpn-sessiondb detail l2l.
- show vpn-sessiondb anyconnect.
- show crypto isakmp sa.
- show crypto isakmp sa.
- show run crypto ikev2.
- more system:running-config.
- show run crypto map.
- show Version.
To verify IPsec VPN tunnels using the CLI:
Confirm that selectors(total,up): 1/1 , rx(pkt,err) , and tx(pkt,err) are non-zero. The following shows sample output for this command: 'ToSpokes_0' 154.52. 29.50:64916 selectors(total,up): 1/1 rx(pkt,err): 2689/0 tx(pkt,err): 1043/0 'ToSpokes_1' 154.52.
