IKE Phase 1 successful, Phase 2 fails due to proxy-id mismatch (KB ID: KB5049)
| Article ID: | KB5049 |
|---|---|
| Former Article ID: | nskb8822 |
| Published: | Jul 24, 2008 |
| Last Modified: | Jul 24, 2008 |
| Visible By: | Employee, PTAC, Partner, Customer, Public |
Back to Previous Page | Knowledge Base Home
Article URL
Synopsis
The Proxy ID on the local and remote VPN device must match for phase 2 to complete the VPN negotiations. The information below explains the log error "No policy exist for the Proxy ID" in greater detail.
Problem
Environment:
- IPsec
- proxy id
- Route-based VPN
- Proxy-ID configured manually
- Address book entries configured
- Phase 1 successful
Symptoms & Errors:
- Phase 2 failing with a Proxy ID mismatch
- No policy exist for the Proxy ID
- Get address shows
192.168.168.0/24 192.168.168.0 255.255.255.0 00
Any 0.0.0.0 0.0.0.0 02 All Addr
Dial-Up VPN 255.255.255.255 255.255.255.255 02 Dial-Up VPN Addr
Homenet 192.168.0.0 255.255.255.0 00
SBC Net 64.161.25.0 255.255.255.0 00
Solution
Verify that the address book entry is correct and make sure the Proxy ID's match from one gateway to the other (i.e. local proxy id matches with peer's remote proxy id, and vice versa). See the image.
To check the Proxy ID of each policy-based vpn using the CLI, type the following command:
get policy id <number>
Example:
spingineer-> get policy id 3
name:"none" (id 12), zone Untrust -> Trust,action Tunnel, status "enabled"
src "Dial-Up VPN", dst "10.2.2.0/24", serv "ANY"
Policies on this vpn tunnel: 1
[255.255.255.255/32, 10.2.2.0/24, 0-65535, 0-65535, 0]
nat off, url filtering : disabled
vpn remote-vpn, nsp tunnel 40000012, sa index 2, sa tunnel id 12
policy flag 00010000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log close, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
proxy id:
local 10.2.2.0/255.255.255.0, remote 255.255.255.255/255.255.255.255, proto 0, port 0
No Authentication
No User, User Group or Group expression set
spingineer->
Category Description
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software
By Product » Software » VPN Clients
By Network Technology » IP Protocols » Tunneling Protocols » IPSec
Purpose
Troubleshooting

