Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
A Branch Office VPN (BOVPN) tunnel fails to establish when the pre‑shared key (PSK) configured on one endpoint is not the same as the PSK configured on the peer endpoint. For Phase 1 IKE authentication, both endpoints must use the same PSK. The PSK must be the same, including character case, spaces, and special characters.
Symptoms
When BOVPN endpoints use a different PSK, it typically presents these symptoms:
- Phase 1 (IKE) authentication fails.
- The BOVPN tunnel does not establish.
- VPN negotiation repeatedly restarts and is unsuccessful.
- Firebox log messages indicate that the Firebox rejected the IKE authentication attempt because the configured PSKs do not match.
Examples:
Pre-shared key authentication failure
AUTHENTICATION_FAILED
Diagnostic Steps
On each BOVPN endpoint, perform these steps:
- Re-enter the Phase 1 PSK on both tunnel endpoints.
- Verify that the PSK values are the same.
- Verify that the PSK does not contain:
- Leading or trailing spaces
- Extra characters
- Encoding differences introduced by copy‑and‑paste operations
- Review log messages related to Phase 1 authentication failures.
Possible Causes and Solutions
| Possible Cause | Solution |
|---|---|
| The PSKs are not identical on the BOVPN endpoints. |
Reconfigure the PSK and manually re-enter the same values on both tunnel endpoints to make sure that they are exactly the same. Locally-Managed: Manual Branch Office VPN Tunnels Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes |
Manual Branch Office VPN Tunnels
About Firebox Logging and Notification (Locally-managed Fireboxes)
Monitor Traffic on Fireboxes and FireClusters (Cloud-managed Fireboxes)