IKE Phase-2 Negotiation is Failed as Initiator, Quick Mode

PSec VPN Error: IKE Phase-2 Negotiation is Failed as Initiator, Quick Mode

Issue

A site-to-site IPSec VPN  between a Palo Alto Networks firewall and another firewall from a different vendor is configured. Phase 1 succeeds, but Phase 2 negotiation fails. A look at the ikemgr.log with the command

> tail follow yes mp-log ikemgr.log

shows the following errors:

( description contains ‚IKE protocol notification message received: INVALID-ID-INFORMATION (18).‘ )

and

IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. Due to negotiation timeout

Resolution

The most common phase-2 failure is due to Proxy ID mismatch.

  1. Check the Proxy ID settings on the Palo Alto Networks firewall and the firewall on the other side.
    Note: Proxy ID for other firewall vendors may be referred to as the Access List or Access Control List (ACL).
  2. Also, check the IPSec crypto to ensure that the proposals match on both sides.

https://live.paloaltonetworks.com/docs/DOC-4637