IPSec Not connecting between Palo Alto VM300 and RB3011

wkoen · June 12, 2020, 9:08am

Hi there,

I am new to this forum so bear with me.
I am attempting to setup an IPSec tunnel between one of our branch offices and our Palo Alto VM300 in Azure.
I have quadruple checked all the connection details, phase 1, phase 2 etc exactly match.
We already have another branch office connecting successfully to the same Palo Alto, so we exported the configuration from that site, and imported it into this new site’s config.
After the import, all details (basic configuration) was updated to reflect unique site including IPSec details.
The following has also been added:
• 50 ipsec-esp accepted on the forward chain
• UDP Port 500, 1701, 4500 accepted on the forward chain
• Srcnat accept rule #0 (Before default masquerade) added from the branch net to the remote net
I have also enabled ipsec logs; and get the following messages now.
Phase 1 negotiation failed due to time up from source port 500 to destination port 500

Now as this currently work in our other office and has the exact same config.

Why am I not seeing the internal SRCNAT being hit at all?
I have confirmed via netcat that the UDP ports are also allowed on both ends.

See below logs; IP addresses amended to not reflect our public IP’s

11:59:24 ipsec ipsec: 192.168.20.1 request for establishing IPsec-SA was queued due to no phase1 found.
11:59:24 ipsec ipsec: 192.168.20.1 phase2 negotiation failed due to time up waiting for phase1. AH 192.168.20.1[0]->192.168.40.1[0]
11:59:24 ipsec ipsec: delete phase 2 handler.
11:59:27 ipsec,error phase1 negotiation failed due to time up 192.168.40.1[500]<=>192.168.20.1[500] 7d4fd01e64e52f68:0000000000000000
11:59:27 ipsec,error ipsec: phase1 negotiation failed due to time up 192.168.40.1[500]<=>192.168.20.1[500] 7d4fd01e64e52f68:0000000000000000
11:59:27 ipsec,debug ipsec: 344 bytes from 192.168.40.1[500] to 41.160.185.171[500]
11:59:27 ipsec,debug ipsec: 1 times of 344 bytes message will be sent to 41.160.185.171[500]
11:59:27 ipsec,debug,packet ipsec: 1f2530a2 11acee92 00000000 00000000 01100200 00000000 00000158 0d000038
11:59:27 ipsec,debug,packet ipsec: 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0e10
11:59:27 ipsec,debug,packet ipsec: 80010007 800e0100 80030001 80020002 80040002 0d000014 4a131c81 07035845
11:59:27 ipsec,debug,packet ipsec: 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
11:59:27 ipsec,debug,packet ipsec: 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
11:59:27 ipsec,debug,packet ipsec: 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
11:59:27 ipsec,debug,packet ipsec: ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
11:59:27 ipsec,debug,packet ipsec: 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
11:59:27 ipsec,debug,packet ipsec: 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014
11:59:27 ipsec,debug,packet ipsec: 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2
11:59:27 ipsec,debug,packet ipsec: 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
11:59:37 ipsec,debug ipsec: ===
11:59:37 ipsec,info initiate new phase 1 (Identity Protection): 192.168.40.1[500]<=>192.168.20.1[500]
11:59:37 ipsec,info ipsec: initiate new phase 1 (Identity Protection): 192.168.40.1[500]<=>192.168.20.1[500]
11:59:37 ipsec,debug ipsec: new cookie:
11:59:37 ipsec,debug ipsec: a7a60417e619fbb3\18
11:59:37 ipsec,debug ipsec: add payload of len 48, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 13
11:59:37 ipsec,debug ipsec: add payload of len 16, next type 0
11:59:37 ipsec,debug ipsec: 340 bytes from 192.168.40.1[500] to 192.168.20.1[500]
11:59:37 ipsec,debug ipsec: 1 times of 340 bytes message will be sent to 192.168.20.1[500]
11:59:37 ipsec,debug,packet ipsec: a7a60417 e619fbb3 00000000 00000000 01100200 00000000 00000154 0d000034
11:59:37 ipsec,debug,packet ipsec: 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0e10
11:59:37 ipsec,debug,packet ipsec: 80010005 80030001 80020002 80040002 0d000014 4a131c81 07035845 5c5728f2
11:59:37 ipsec,debug,packet ipsec: 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8
11:59:37 ipsec,debug,packet ipsec: ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285
11:59:37 ipsec,debug,packet ipsec: 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65
11:59:37 ipsec,debug,packet ipsec: 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014
11:59:37 ipsec,debug,packet ipsec: cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5
11:59:37 ipsec,debug,packet ipsec: ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d
11:59:37 ipsec,debug,packet ipsec: 18b6bbcd 0be8a846 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
11:59:37 ipsec,debug,packet ipsec: 00000014 afcad713 68a1f1c9 6b8696fc 77570100
11:59:37 ipsec ipsec: sent phase1 packet 192.168.40.1[500]<=>192.168.20.1[500] a7a60417e619fbb3:0000000000000000
11:59:37 ipsec,debug ipsec: 1 times of 344 bytes message will be sent to 41.160.185.171[500]
11:59:37 ipsec,debug,packet ipsec: 1f2530a2 11acee92 00000000 00000000 01100200 00000000 00000158 0d000038
11:59:37 ipsec,debug,packet ipsec: 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0e10
11:59:37 ipsec,debug,packet ipsec: 80010007 800e0100 80030001 80020002 80040002 0d000014 4a131c81 07035845
11:59:37 ipsec,debug,packet ipsec: 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
11:59:37 ipsec,debug,packet ipsec: 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
11:59:37 ipsec,debug,packet ipsec: 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
11:59:37 ipsec,debug,packet ipsec: ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
11:59:37 ipsec,debug,packet ipsec: 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
11:59:37 ipsec,debug,packet ipsec: 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014
11:59:37 ipsec,debug,packet ipsec: 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2
11:59:37 ipsec,debug,packet ipsec: 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100

wkoen · June 12, 2020, 9:15am

Update: I also see that the PH2 is sitting in ready to send, but not connecting.
A colleague and I have sat on this issue since Tuesday and I’m frankly pulling out my hair, this should be working.

tippenring · June 12, 2020, 2:15pm

If I’m interpreting the log correctly, it looks like you may have a private IP address (344 bytes from 192.168.40.1[500] to 41.160.185.171[500]) defined as the peer address on that router. 192.168.40.1 should not be trying to connect with 41.160.185.171. 192.168.40.1 should be a public IP.

wkoen · June 12, 2020, 4:53pm

Hi there

Excuse me, typo.
Thank you for the response.

That was a typo from my end when copying and pasting the log output from the console to add it to notepad ++ to obfuscate it.
Well, obviously that failed.

I did schedule and reboot the device, as well as rolled back to LT firmware. V 6.45.9
Now the tunnel sits in a Ready to send PH2 state

The new logs I am getting though while exporting is as follows:

19:42:33 ipsec ipsec: resent phase1 packet a.a.a.a[500]<=>b.b.b.b[500] 9f1776b6c4497868:0000000000000000
19:42:38 ipsec,debug,packet ipsec: 1adb8950 bd06ce34 00000000 00000000 01100200 00000000 00000180 0d000060
19:42:38 ipsec,debug,packet ipsec: 00000001 00000001 00000054 01010002 03000028 01010000 800b0001 000c0004
19:42:38 ipsec,debug,packet ipsec: 00015180 80010007 800e0080 80030001 80020002 80040002 00000024 02010000
19:42:38 ipsec,debug,packet ipsec: 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 0d000014
19:42:38 ipsec,debug,packet ipsec: 4a131c81 07035845 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4
19:42:38 ipsec,debug,packet ipsec: 28c11de8 0d000014 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13
19:42:38 ipsec,debug,packet ipsec: 6deafa34 c4f3ea9f 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee
19:42:38 ipsec,debug,packet ipsec: 0d000014 9909b64e ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f
19:42:38 ipsec,debug,packet ipsec: 2c179d92 15529d56 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014
19:42:38 ipsec,debug,packet ipsec: 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f
19:42:38 ipsec,debug,packet ipsec: 0aeaa862 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000014 12f5f28c
19:42:38 ipsec,debug,packet ipsec: 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
19:42:43 ipsec,debug ipsec: 344 bytes from a.a.a.a[500] to b.b.b.b[500]
19:42:43 ipsec,debug ipsec: 1 times of 344 bytes message will be sent to b.b.b.b[500]
19:42:43 ipsec,debug,packet ipsec: 9f1776b6 c4497868 00000000 00000000 01100200 00000000 00000158 0d000038
19:42:43 ipsec,debug,packet ipsec: 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0e10
19:42:43 ipsec,debug,packet ipsec: 80010007 800e0100 80030001 80020002 80040002 0d000014 4a131c81 07035845
19:42:43 ipsec,debug,packet ipsec: 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
19:42:43 ipsec,debug,packet ipsec: 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
19:42:43 ipsec,debug,packet ipsec: 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
19:42:43 ipsec,debug,packet ipsec: ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
19:42:43 ipsec,debug,packet ipsec: 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
19:42:43 ipsec,debug,packet ipsec: 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014
19:42:43 ipsec,debug,packet ipsec: 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2
19:42:43 ipsec,debug,packet ipsec: 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
19:42:43 ipsec ipsec: resent phase1 packet a.a.a.a[500]<=>b.b.b.b[500] 9f1776b6c4497868:0000000000000000
19:42:52 ipsec,debug,packet ipsec: 1adb8950 bd06ce34 00000000 00000000 01100200 00000000 00000180 0d000060
19:42:52 ipsec,debug,packet ipsec: 00000001 00000001 00000054 01010002 03000028 01010000 800b0001 000c0004
19:42:52 ipsec,debug,packet ipsec: 00015180 80010007 800e0080 80030001 80020002 80040002 00000024 02010000
19:42:52 ipsec,debug,packet ipsec: 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 0d000014
19:42:52 ipsec,debug,packet ipsec: 4a131c81 07035845 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4
19:42:52 ipsec,debug,packet ipsec: 28c11de8 0d000014 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13
19:42:52 ipsec,debug,packet ipsec: 6deafa34 c4f3ea9f 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee
19:42:52 ipsec,debug,packet ipsec: 0d000014 9909b64e ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f
19:42:52 ipsec,debug,packet ipsec: 2c179d92 15529d56 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014
19:42:52 ipsec,debug,packet ipsec: 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f
19:42:52 ipsec,debug,packet ipsec: 0aeaa862 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000014 12f5f28c
19:42:52 ipsec,debug,packet ipsec: 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
19:42:52 ipsec ipsec: no IKEv1 peer config for 197.185.99.45
19:42:53 ipsec,error phase1 negotiation failed due to time up a.a.a.a[500]<=>b.b.b.b[500] 9f1776b6c4497868:0000000000000000
19:42:53 ipsec,error ipsec: phase1 negotiation failed due to time up a.a.a.a[500]<=>b.b.b.b[500] 9f1776b6c4497868:0000000000000000
19:42:57 ipsec ipsec: b.b.b.b phase2 negotiation failed due to time up waiting for phase1. AH b.b.b.b[0]->a.a.a.a[0]
19:42:57 ipsec ipsec: delete phase 2 handler.
19:42:57 ipsec ipsec: acquire for policy: c.c.c.c/24 <=> d.d.d.d/16
19:42:57 ipsec ipsec: policy group mismatch, ignoring.
19:43:03 ipsec,debug ipsec: ===
19:43:03 ipsec,info initiate new phase 1 (Identity Protection): a.a.a.a[500]<=>b.b.b.b[500]
19:43:03 ipsec,info ipsec: initiate new phase 1 (Identity Protection): a.a.a.a[500]<=>b.b.b.b[500]
19:43:03 ipsec,debug ipsec: new cookie:
19:43:03 ipsec,debug ipsec: def3b33daaec9bf4\01
19:43:03 ipsec,debug ipsec: add payload of len 52, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 13
19:43:03 ipsec,debug ipsec: add payload of len 16, next type 0
19:43:03 ipsec,debug ipsec: 344 bytes from a.a.a.a[500] to b.b.b.b[500]
19:43:03 ipsec,debug ipsec: 1 times of 344 bytes message will be sent to b.b.b.b[500]
19:43:03 ipsec,debug,packet ipsec: def3b33d aaec9bf4 00000000 00000000 01100200 00000000 00000158 0d000038
19:43:03 ipsec,debug,packet ipsec: 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0e10
19:43:03 ipsec,debug,packet ipsec: 80010007 800e0100 80030001 80020002 80040002 0d000014 4a131c81 07035845
19:43:03 ipsec,debug,packet ipsec: 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
19:43:03 ipsec,debug,packet ipsec: 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
19:43:03 ipsec,debug,packet ipsec: 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
19:43:03 ipsec,debug,packet ipsec: ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
19:43:03 ipsec,debug,packet ipsec: 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
19:43:03 ipsec,debug,packet ipsec: 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014
19:43:03 ipsec,debug,packet ipsec: 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2
19:43:03 ipsec,debug,packet ipsec: 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
19:43:03 ipsec ipsec: sent phase1 packet a.a.a.a[500]<=>b.b.b.b[500] def3b33daaec9bf4:0000000000000000

tippenring · June 12, 2020, 7:42pm

From that log, b.b.b.b never receives the IKE packet, or b.b.b.b receives the IKE packet and never replies to a.a.a.a.

19:42:57 ipsec ipsec: acquire for policy: c.c.c.c/24 <=> d.d.d.d/16
19:42:57 ipsec ipsec: policy group mismatch, ignoring.

If the above 2 lines are related to these 2 peers, it probably indicates that either a.a.a.a or b.b.b.b do not have matching policies configured.

Can you get the logs from the Palo? Which version of PanOS is on the Palo? Palo IPSec VPNs can be quirky to configure in my experience.