Guides
All guides
VPN & Firewall
FortiGate IPsec VPNPalo Alto VPNCisco ASA VPNJuniper SRX VPNSonicWall VPN
Switching & Routing
Catalyst high CPUNexus vPCOSPF ExStartBGP Active/Idle
Load Balancing
F5 pool member down
Servers & Virtualization
Linux high loadWindows high memoryESXi disconnectedProxmox node offline
Containers
K8s CrashLoopDocker exit 137
Databases
MySQL replication lagPostgreSQL connsOracle ORA-12541
Cloud
AWS no internetAzure VPN gateway
Backup
Veeam job failed
Web & App
Nginx 502
Compare
Marvis alternativeChatGPT vs TM
Home / Troubleshoot / Palo Alto VPN Tunnel Down
Palo Alto · IPsec VPN

Palo Alto IPsec VPN Tunnel Down: How to Troubleshoot It

By the Tech Matrix engineering team · Updated June 2026

A Palo Alto site-to-site tunnel that won't come up fails in IKE (Phase 1) or IPsec (Phase 2) — and on PAN-OS the most common Phase 2 trap is a proxy-ID mismatch. Here's how to pinpoint it.

Step 1 — Check the SA state

show vpn ike-sa gateway <gateway-name>
show vpn ipsec-sa tunnel <tunnel-name>
show vpn flow

If there's no IKE SA, Phase 1 is failing. If IKE is up but no IPsec SA, the problem is Phase 2. You can actively trigger negotiation to watch it fail:

test vpn ike-sa gateway <gateway-name>
test vpn ipsec-sa tunnel <tunnel-name>

Step 2 — Phase 1 (IKE) down

  • Reachability: can the firewall reach the peer's public IP? Confirm the route and that UDP 500/4500 aren't blocked.
  • Pre-shared key / crypto profile: the IKE crypto profile (DH group, encryption, hash, lifetime) and PSK must match the peer exactly.
  • IKE version & mode: both ends must agree on IKEv1/IKEv2 and main/aggressive mode, and on the peer/local identification.

Read the live negotiation in the IKE log:

tail follow yes mp-log ikemgr.log

Step 3 — Phase 2 (IPsec) won't establish

On PAN-OS, Phase 2 selectors are configured as Proxy IDs. The single most common Palo Alto tunnel failure is a proxy-ID mismatch:

  • Proxy IDs: your local/remote proxy-ID subnets must mirror the peer (your local = their remote). Policy-based peers (and many cloud VPNs) require explicit proxy-IDs — without them Phase 2 fails.
  • IPsec crypto profile: encryption, authentication, DH group/PFS and lifetime must have a match on both sides.

Step 4 — Tunnel flaps

If it comes up then drops, check DPD settings, the tunnel monitor (a wrong monitor IP will tear down a healthy tunnel), and that key lifetimes align so rekeys succeed.

How Tech Matrix solves this in ~60 seconds

The Palo Alto trap is knowing whether it's IKE, a proxy-ID mismatch, or a crypto profile — without scrolling ikemgr.log by hand. Tech Matrix connects to your firewall via a secure agent, reads the IKE/IPsec SAs and the log itself, and tells you exactly which selector or profile doesn't match — grounded in your PAN-OS version. You approve every command.

Create free account →See how it works

Frequently asked questions

How do I check a Palo Alto VPN tunnel status?

Run 'show vpn ike-sa' and 'show vpn ipsec-sa', or 'test vpn ike-sa gateway ' and 'test vpn ipsec-sa tunnel ' to actively trigger and observe negotiation.

Why is my Palo Alto IPsec Phase 2 not coming up?

Most often a proxy-ID mismatch. PAN-OS uses proxy IDs for Phase 2 selectors; your local/remote subnets must mirror the peer, and the IPsec crypto profile must match.

Where are Palo Alto VPN logs?

The IKE daemon log: 'tail follow yes mp-log ikemgr.log' shows live Phase 1/Phase 2 negotiation and the reason for failure.