Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

Log Viewer shows IKE Phase 1 Negotiation message not received (KB ID: KB6193)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB6193

Synopsis

Log Viewer shows IKE Phase 1 Negotiation message not received

Problem

Log Viewer shows IKE Phase 1 Negotiation message not received Log Viewer: Exceeded 3 IKE SA Negotiations Phase 1: Discarded a second initial packet, which arrived 5 seconds after the first

Solution

There are several reasons why IKE Phase 1 Negotiation would not be received:

1. Secure Gateway Tunnel IP address is not referencing the IP address of the correct NetScreen.
2. UDP Port 500, UDP Port 4500 and IPSec Protocol 50 might be blocked by the ISP or at the router. All 3 must be allowed through in order to establish the VPN.
3. IKE ID on the NetScreen-Remote client does not match the IKE ID for the User account on the NetScreen device
4. Phase 1 encryption algorithm on NetScreen-Remote does not match Phase 1 encryption negotiation on the NetScreen
5. Phase 1 authentication algorithm on NetScreen-Remote does not match Phase 1 authentication negotiation on the NetScreen
6. Phase 1 Key Group on NetScreen-Remote does not match Phase 1 Diffie-Hellman group on the NetScreen
7. In ScreenOS 4.0.0 or higher:
   

   If the NetScreen device is configured as a layer 3 device, either Route mode or NAT mode, make sure the VLAN1 interface IP is not set.'  There have been some issues when VLAN1 IP is configured to a non-0.0.0.0 IP address when the device is configured to Route or NAT mode.

   From the command line interface (CLI):

   unset interface vlan1 ip [Enter]
   

Category Description

By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems
By Product » Software » Network Operating Systems » ScreenOS Software
By Network Technology » IP Protocols » Tunneling Protocols

Purpose

Troubleshooting

Related Articles

Related Links

• How to View and Analyze Messages in the NetScreen Remote VPN Client Log Viewer
• How to Troubleshoot a Dial-Up VPN that will not come active

Related Files