I know that Error code 19 indicates a mismatch with DH groups and that the solution will be to verify that they match on both ends.
What baffles me is that when the Palo Alto is the responder, it is often able to successfully negotiate Phase 2.
Phase 2 consistently fails when the Palo Alto initiates.
The Palo Alto has PFS with DH 14. The other side apparently does not.
Can you point me towards documentation that would explain this seemingly inconsistent behavior?
Thank you very much!
I doubt this is documented anywhere, I don't know of any articles. I do have a potential solution: set the Palo side to "passive" so the remote end always needs to initiate To figure out what is happening you'd need to deepdive into troubleshooting and compare the sequence of negotiations on both sides