How to troubleshoot IPSec VPN Tunnel Down (2024)

• PAN-OS
• Palo Alto Networks firewall configured with IPSec VPN Tunnel

1. If you see the System Log "<IKEGateway> unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"

1. Go toNetwork > IKE Crypto Profile > Encryptionand verify theEncryptionalgorithm for Phase 1 is set to the same as the VPN peer's

2. Go toNetwork > IKE Crypto Profile > Authenticationand verify the Authenticationalgorithm for Phase 1 is set to the same as the VPN peer's

3. Go toNetwork > IKE Crypto Profile > DH Groupand verify theDH Groupalgorithm for Phase 1 is set to the same as the VPN peer's

2. If you see the System Log "received notify type NO_PROPOSAL_CHOSEN" and/or "message lacks IDr payload"

1. Go toNetwork > IPSec Crypto Profile > Encryptionand verify the Encryptionalgorithm for Phase 2 is set to the same as the VPN peer's

2. Go toNetwork > IPSec Crypto Profile > Authenticationand verify the Authenticationalgorithm for Phase 2 is set to the same as the VPN peer's

3. If you see the System Log "IKEv2 child SA negotiation is failed received KE type %d, expected %d"

1. Go toNetwork > IPSec Crypto Profile > DH Groupand verify the DH Groupalgorithm for Phase 2 is set to the same as the VPN peer's

4. If you see the System Log "IKEv2 SA negotiation is failed likely due to pre-shared key mismatch" or "IKE protocol notification message received: received notify type AUTHENTICATION_FAILED"

1. Go toNetwork > IKE Gateway > edit IKE Gateway > Pre-shared Keyand verify the Pre-shared Keyis set to the exact same as the VPN peer's pre-shared key

5. If you see the System Log "IKE protocol notification message received: received notify type TS_UNACCEPTABLE" or "IKEv2 child SA negotiation failed when processing traffic selector. cannot find matching IPSec tunnel for received traffic selector"

1. Go toNetwork > IPSec Tunnels > edit IPSec Tunnel > Proxy IDsand verify that each Proxy ID entry is an exact mirror (opposite) of the Proxy ID entry on the VPN peer

Note: Proxy IDs are also known as 'Traffic Selectors'

• Navigate to Monitor > System Logs- look for error(s) related to IKE, IPSec, or VPN
• From the CLI, type > less mp-log ikemgr.log - look for specific error(s) related to the failure
• Use CLI show commands- look for the error or misconfiguration
• Navigate toMonitor > Packet Capture- take a pcap filtered by UDP 500 for the two VPN peer IP's, download and open them in Wireshark, and review the UDP 500 packets to see what parameters are being negotiated - identify the mismatch or incorrect configuration from there

Also check HOW TO TROUBLESHOOT IPSEC VPN CONNECTIVITY ISSUES

If your case doesn't match the mentioned cases in this article then refer toResource List:IPSec Configuring and Troubleshootingor contact our technical support team.