Knowledge Center Search


 

How to Analyze IKE Phase 1 Messages in the Event Logs

  [KB9238] Show KB Properties

  [KB9238] Hide KB Properties

Categories:
Knowledge Base ID: KB9238
Last Updated: 24 Aug 2011
Version: 5.0

Summary:
If the Event log is reporting IKE Phase 1 messages, this procedure can help determine the reason the VPN is not establishing Phase 1.

Problem or Goal:
An IKE VPN Tunnel is not coming up. There may be Phase 1 messages in the Event Logs that could help determine why.

Solution:

Use the following steps to identify the IKE Phase 1 error messages and what to do to correct them:  For assistance in finding the IKE errors in the event logs, see KB4426 - How do I Find the VPN Entry in the Event Log? 

NOTE:  You can troubleshoot a VPN problem more accurately and faster by reviewing the event log messages on the responder firewall.  The responder is the "receiver" side of the VPN that is being pinged, receiving the tunnel set up requests, or receiving the tunneled traffic.  The initiator is the side of the VPN that generates the ping or traffic.

Step 1.  Is there a message reporting: Phase 1 Complete for the VPN in question? 

Example:  IKE <1.1.1.1> Phase 1: Completed { Aggressive | Main } mode negotiations with a <number>-second lifetime.

Step 2. The most common Phase 1 errors are:

  • Message:  IKE <ip_addr> Phase 1: Rejected an initial Phase 1 packet from an unrecognized peer gateway. 
    Meaning:  The responder did not recognize the incoming request as originating from a valid gateway peer. 
    Action:      On the responder, confirm the following IKE gateway configuration settings are correct:
    • The Static IP Address specified for the Remote Gateway is correct.
    • The Peer ID specified for the Remote Gateway is correct.
    • The outgoing interface is correct.  (Unfortunately, you cannot change the IKE Gateway's outgoing interface.  Create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that it matches the new gateway.)
  • Message:  IKE <ip_addr> Phase 1: Rejected an IKE packet on ethernet1/2 from <ip_addr>:<port> to <ip_addr>:<port> with cookies <cookie>  and <cookie> because Phase 1 negotiations failed.   (The preshared keys might not match.)
    Meaning:  The Phase 1 preshared keys do not match. 
    Action:  On both the initiator and responder, re-enter the Preshared Key in the IKE gateway configuration. 
  • Message:  <ip_address> to <ip_address> with cookies <cookie id> and <cookie id> because there were no acceptable Phase 1 proposals.
    Meaning:  The Phase 1 proposals do not match.
    Action: Make sure the parameters for the IKE gateway Phase 1 proposals on both the responder and the initiator match:
    • Authentication Method (Preshare, RSA-signature, or DSA-signature)
    • Diffie-Hellman Group Number (Group 1, 2, or 5)
    • Encryption Algorithm (DES, 3DES, or AES)
    • Hash Algorithm (MD5 or SHA-1)

Step 3. If you have IKE Phase 1 errors other than those listed in Step 2, collect the Site-to-Site logs for both sides of the tunnel and open a case with JTAC - Juniper Technical Assistance Center.  For Site-to-Site environments, consult: KB9229 - How to collect logs and open a case for a problem with a Site-to-Site VPN or for Dial-Up environments, consult: KB9395 - What Information Should Be Collected for a Dial-UP VPN That Won’t Come Up?

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.