Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

How to Analyze IKE Phase 2 Messages in the Event Logs (KB ID: KB9231)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB9231

Synopsis

If the Event log is reporting IKE Phase 2 messages, this procedure can help determine the reason the VPN is not establishing Phase 2.

Problem

An IKE VPN Tunnel is not coming up.  There may be Phase 2 messages in the Event Logs that could help determine why.

Solution

Use the following steps to determine the IKE Phase 2 error messages and what to do to correct them:  For assistance in finding the IKE errors in the event logs, see KB4426 - How do I Find the VPN Entry in the Event Log?

  Is there a message reporting: Phase 2 Complete for the VPN in question? 

Example:
Message:  IKE <1.1.1.1> Phase 2 msg ID <8046e14d>: Completed negotiations with SPI <e37791d8>, tunnel ID <1>, and lifetime <3600> sec/<0> KB. 
     Where 1.1.1.1 is the IP address of the remote firewall in question.

• Yes - See KB9276 - How to Troubleshoot a Site-to-Site VPN that is up, but, is not Passing Traffic
• No   - Continue with Step 2

 The most common Phase 2 errors are:

• Message: IKE <ip_addr> Received notify message for DOI <1> <14> < NO_PROPOSAL_CHOSEN >
       or
  Message: IKE <ip_addr> Phase 2: Rejected proposals from peer, Negotiations failed.
       or
  Message: Rejected an IKE packet on <interface> from .....because there were no acceptable  Phase 2  proposals
  

  Meaning: The NetScreen device did not accept any of the IKE Phase 2 proposals that the specified IKE peer sent.
  
  Action: Check the local VPN configuration. Either change the local configuration to accept at least one of the remote peer’s Phase 2 proposals, or contact the remote peer’s admin and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.
  For assistance, see KB6168 - Received Notify Message for DOI <No_PROPOSAL_CHOSEN>

• Message: IKE <ip_addr> Phase 2: No policy exists for the proxy ID received: local ID (<ip_addr>/<mask>, <protocol>, <port_num>) remote ID (<ip_addr>/<mask>, <protocol>, <port_num>). 
  

  Meaning:  No policy found matching the specified attributes
  
  Action:  The proxy-id must be an exact "reverse" match.  For example, the address book entries must have the same number of netmask bits, the list of services must match as well as the port numbers.  If any of these fields don't match, the Phase 2 will fail.  Check the address and/or service book entries. 
  
  To help troubleshoot a Proxy ID error, consult one of the following articles:
  

  • KB9517 - What is causing the Phase 2 error: Mismatched Proxy ID or Peer ID when connecting through my Site-to-Site VPN?
  • KB9444 - What is causing the Phase 2 error: Mismatched Proxy ID or Peer ID when connecting through my client VPN?

• Message: IKE <ip_addr>: Phase 2 negotiation request is already in the task list   
  

  Meaning: The IKE module in the local NetScreen device, when attempting to add a Phase 2 negotiation task to its task list, discovered that the list already contained an identical task for the specified peer.
  When beginning Phase 1 negotiations, the NetScreen device adds the tasks that the Phase 1 security association (SA) must do to its Phase 1 task list. One such task is to perform Phase 2 negotiations.  If Phase 1 negotiations progress too slowly, local traffic might initiate another Phase 2 SA request to the IKE module. If so, before the NetScreen device adds the Phase 2 task to its task list, it will discover that an identical task is already in the list and refrain from adding the duplicate.
  
  Action: Check if the IKE Phase 1 negotiations with that peer have successfully completed.
  
  If you are receiving this message, see Step 6 of KB9221 - How to Troubleshoot a Site-to-Site VPN Tunnel that wont come up.

 If you have IKE Phase 2 errors other than those listed in Step 2, consult the Message Log Reference Guide for your ScreenOS version.

For additional assistance, collect the Site-to-Site logs for both sides of the tunnel and open a case with JTAC - Juniper Technical Assistance Center.  See KB9229 - How to collect logs and open a case for a problem with a Site-to-Site VPN.

Category Description

By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems
By Product » Software » Network Operating Systems » ScreenOS Software

Purpose

Related Articles

Related Links

• KB9221 - How to Troubleshoot a Site-to-Site VPN Tunnel that wont come up

Related Files