How Do I Resolve Intermittent VPN Connectivity Problems?
How Do I Resolve Intermittent VPN Connectivity Problems?
Problem:Environment:
- Pre-shared Internet Key Exchange (IKE)
- Virtual Private Network (VPN)
- Virtual Private Network (VPN) not working
- IKE Phase 2 fails
- Log Messages:
- No policy exists for the proxy ID: local(10.2.0.126/255.255.255.255/0/0) remote(192.168.1.200/255.255.255.255/0/0)
- ## protocol matched expected<0>
- ## local address matched
- ## remote address NOT matched
This article applies to ScreenOS 4.0 and higher.
VPN connectivity problems are sometimes caused by a mismatch between the policies on the two NetScreen devices. Two methods for determining if this is the issue are:
- Check the Security Associations (SAs) on your NetScreen device.
- Check the system debug output for a 'No policy exists for the proxy ID received' entry.
To check the SAs on your NetScreen device, perform the following steps:
Open the Command Line Interface (CLI). For more information, go to Accessing the Command Line Interface Using Telnet.
From the CLI, enter the following command, and then press ENTER:get sa
Locate the IKE gateway. If there are two active SA pairs and both pairs have a negative number (-1) for the policy ID (PID), it is likely that you have a policy mismatch. An example of this output is displayed below:HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< 0.0.0.0 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
00000002> 0.0.0.0 500 esp:3des/sha1 00000000 expir unlim I/I 9 0
00000008< 12.12.12.12 500 esp:3des/sha1 00000000 expir unlim I/I 11 0
00000008> 12.12.12.12 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
To resolve a policy mis-match, reconfigure the VPN policies on the NetScreen devices. For more information, go to Configuring a Policy Based LAN to LAN VPN When Both Sides Have Static IPs Using Preshared Keys.To check the system debug output for a 'No policy exists for the proxy ID received' entry, perform the following steps:
Open the Command Line Interface (CLI). For more information, go to Accessing the Command Line Interface Using Telnet.From the CLI, enter the following command, and then press ENTER:debug ike detail
Initiate a VPN negotiation.From the CLI, enter the following commands, and then press ENTER.undebug all
get dbuf stream
Examine the debug output for a 'No policy exists for the proxy ID received' entry. An example of this type of entry is displayed below:##2001-08-03 15:30:30 system-debugging: IKE<10.10.12.253> Phase 2: No policy exists for the proxy ID received: local ID (<172.16.10.0>/<255.255.255.0>,<0>,<0>) remote ID (<10.251.7.53>/<255.255.255.255>,<0>,<0>)
To resolve a policy mismatch, reconfigure the VPN policies on the NetScreen devices. For more information, go to Configuring a Policy Based LAN to LAN VPN When Both Sides Have Static IPs Using Preshared Keys. Troubleshooting
