Saucepan

User Tools

Site Tools

Trace: ha globalprotect dhcp ras vpn
paloaltonetworks:logs:syslog:vpn

This is an old revision of the document!

VPN Syslog Messages

Critical

( subtype eq vpn ) and ( severity eq critical ) and ( eventid eq tunnel-status-up ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'Tunnel IPSEC_TUN_NAME is down' )
( subtype eq vpn ) and ( severity eq critical ) and ( eventid eq tunnel-status-down ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'Tunnel IPSEC_TUN_NAME is down' )
( subtype eq vpn ) and ( severity eq critical ) and ( eventid eq ike-nego-p1-fail-common ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.1.1 (type ipaddr) does not match a configured IKE gateway.' )

IKE Crypto does not match. <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p1-fail-common ) and ( object eq ike-gw-to-primary ) and ( description contains 'IKE phase-1 negotiation is failed. no suitable proposal found in peer\'s SA payload.' )</code> ===== Low ===== <code>( subtype eq vpn ) and ( severity eq low ) and ( eventid eq ike-nego-p1-dpd-dn ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 SA is down determined by DPD.' )</code> ===== Informational ===== <code>( subtype eq vpn ) and ( severity eq informational ) and ( description contains 'KEYMGR sync all IPSec SA to Flow started.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( description contains 'KEYMGR sync all IPSec SA to Flow started.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-config-p1-success ) and ( description contains 'IKE daemon configuration load phase-1 succeeded.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-config-p1-abort ) and ( description contains 'IKE daemon configuration load phase-1 aborted.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-config-p2-success ) and ( description contains 'IKE daemon configuration load phase-2 succeeded.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-generic-event ) and ( description contains 'ignore the packet, expecting the packet encrypted.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-generic-event ) and ( description contains 'few isakmp message received.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-generic-event ) and ( description contains 'no proposal chosen.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-generic-event ) and ( description contains 'unknown ikev2 peer' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-recv-notify ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol notification message received: INVALID-SPI (11).' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-recv-notify ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol notification message received: INITIAL-CONTACT (24578).' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p1-start ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is started as responder, main mode. Initiated SA: 192.168.1.1[500]-11.22.33.44[500] cookie:da9d6ef6d29fc158:ee3c8c80d04eb5da.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p1-succ ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is succeeded as responder, main mode. Established SA: 192.168.1.1[500]-11.22.33.44[500] cookie:da9d6ef6d29fc158:ee3c8c80d04eb5da lifetime 28800 Sec.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p1-expire ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 SA is expired SA: 192.168.1.1[500]-11.22.33.44[500] cookie:bc2888b0a72f89a0:c114fe089bf2d37d.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p1-delete ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 SA is deleted SA: 192.168.1.1[500]-11.22.33.44[500] cookie:bc2888b0a72f89a0:c114fe089bf2d37d.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p1-fail ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: 192.168.1.1[500]-11.22.33.44[500] cookie:28bd6af9813b58d8:0000000000000000. Due to timeout.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p1-fail-common ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-1 negotiation is failed. IKE phase-1 request from gateway IKE_GW_NAME is rejected: aggr mode is not allowed by configuration.' )</code> Someone tried to connect but we could not fine a gateway with their IP. 

( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p1-fail-common ) and ( object eq IKE_GW_NAME ) and ( object eq '11.22.33.44[500]' ) and ( description contains 'IKE phase-1 negotiation is failed. Couldn\'t find configuration for IKE phase-1 request for peer IP 11.22.33.44[500].' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-send-notify ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol notification message sent: NO-PROPOSAL-CHOSEN (14).' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-send-p1-delete ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol phase-1 SA delete message sent to peer. cookie:bc2888b0a72f89a0:c114fe089bf2d37d.' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-recv-p1-delete ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol phase-1 SA delete message received from peer. cookie:823406e89cc4a53d:a02bb471dd4a9531.' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p2-stale-p1 ) and ( object eq IKE_GW_NAME ) and ( description contains 'Deleting a possible stale phase-1 SA. cookie:ddde6812320597bc:1080390072deae5a.' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p2-start ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: 192.168.1.1[500]-11.22.33.44[500] message id:0xC9732D7B.' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p2-succ ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: 192.168.1.1[500]-11.22.33.44[500] message id:0xC9732D7B, SPI:0xF05AF6FF/0x926E4E25.' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p2-simul-fail ) and ( object eq IKE_GW_NAME ) and ( description contains 'simultaneous phase-2 rekey request detected, peer is PANOS. Previous request removed. (isakmp message-id 0x00000000).' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p2-fail ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 172.23.13.69[500]-35.160.196.102[500] message id:0xF0E508BD. Due to negotiation timeout.' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p2-simul-cont ) and ( object eq '11.22.33.44[500]' ) and ( description contains 'simultaneous phase-2 rekey request detected, peer is PANOS. Ignore this new request. (isakmp message-id 0x1B58A60E).' )
( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p2-proxy-id-bad ) and ( object eq ike-gw-partner-loro-t1 ) and ( description contains 'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 172.20.11.0/24 type IPv4_subnet protocol 0 port 0, received remote id: 169.254.201.96/30 type IPv4_subnet protocol 0 port 0.' )

This means that the IPsec crypto does not match <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ikev2-nego-child-proposal-bad ) and ( object eq ike-gw-to-primary ) and ( description contains 'IKEv2 child SA negotiation failed when processing SA payload. no suitable proposal found in peer\'s SA payload.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ikev2-nego-child-start ) and ( object eq ike-gw-to-primary ) and ( description contains 'IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 10.1.1.12[500]-10.1.1.11[500] message id:0x00000001.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ikev2-nego-ike-fail ) and ( object eq ike-gw-to-primary ) and ( description contains 'IKEv2 IKE SA negotiation is failed as responder, non-rekey. Failed SA: 10.1.1.12[500]-10.1.1.11[500] SPI:e076d3e7b7539fb6:d8ca8e604c94f68e.' )</code> This means that the IKE Crypto does not match. 

( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-generic-event ) and ( description contains 'no proposal chosen.' )

This means that the IPsec crypto does not match. <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-nego-p2-proposal-bad ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IKE phase-2 negotiation failed when processing SA payload. no suitable proposal found in peer\'s SA payload.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-send-p2-delete ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IKE protocol IPSec SA delete message sent to peer. SPI:0xCFCBA3AF.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ike-recv-p2-delete ) and ( object eq IKE_GW_NAME ) and ( description contains 'IKE protocol IPSec SA delete message received from peer. SPI:0x3EE477E4.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ipsec-key-install ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IPSec key installed. Installed SA: 192.168.1.1[500]-11.22.33.44[500] SPI:0xF05AF6FF/0x926E4E25 lifetime 3600 Sec lifesize unlimited.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ipsec-key-expire ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IPSec key lifetime expired. Expired SA: 192.168.1.1[500]-11.22.33.44[500] SPI:0xCFCBA3AF/0x3EE477E4.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq ipsec-key-delete ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'IPSec key deleted. Deleted SA: 192.168.1.1[500]-11.22.33.44[500] SPI:0xCFCBA3AF/0x3EE477E4.' )</code> <code>( subtype eq vpn ) and ( severity eq informational ) and ( eventid eq tunnel-status-up ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'Tunnel IPSEC_TUN_NAME is up' )</code>

paloaltonetworks/logs/syslog/vpn.1591255473.txt.gz · Last modified: (external edit)