Skip to content

Support Knowledge Base>Submit Feedback

Customer Support Center

How to Analyze IKE Phase 1 Messages in the Event Logs (KB ID: KB9238)

Article ID: KB9238
Former Article ID:
Published: Jan 26, 2007
Last Modified: Jan 26, 2007
Visible By: Employee, PTAC, Partner, Customer, Public

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB9238

Synopsis

If the Event log is reporting IKE Phase 1 messages, this procedure can help determine the reason the VPN is not establishing Phase 1.

Problem

An IKE VPN Tunnel is not coming up. There may be Phase 1 messages in the Event Logs that could help determine why.

Solution

Use the following steps to identify the IKE Phase 1 error messages and what to do to correct them:  For assistance in finding the IKE errors in the event logs, see KB4426 - How do I Find the VPN Entry in the Event Log? 

NOTE:  You can troubleshoot a VPN problem more accurately and faster by reviewing the event log messages on the responder firewall.  The responder is the "receiver" side of the VPN that is being pinged, receiving the tunnel set up requests, or receiving the tunneled traffic.  The initiator is the side of the VPN that generates the ping or traffic.

Step 1.  Is there a message reporting: Phase 1 Complete for the VPN in question? 

Example:  IKE <1.1.1.1> Phase 1: Completed { Aggressive | Main } mode negotiations with a <number>-second lifetime.

Step 2. The most common Phase 1 errors are:

  • Message:  IKE <ip_addr> Phase 1: Rejected an initial Phase 1 packet from an unrecognized peer gateway. 
    Meaning:  The responder did not recognize the incoming request as originating from a valid gateway peer. 
    Action:      On the responder, confirm the following IKE gateway configuration settings are correct:
    • The Static IP Address specified for the Remote Gateway is correct.
    • The Peer ID specified for the Remote Gateway is correct.
    • The outgoing interface is correct.  (Unfortunately, you cannot change the IKE Gateway's outgoing interface.  Create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that it matches the new gateway.)
  • Message:  IKE <ip_addr> Phase 1: Rejected an IKE packet on ethernet1/2 from <ip_addr>:<port> to <ip_addr>:<port> with cookies <cookie>  and <cookie> because Phase 1 negotiations failed.   (The preshared keys might not match.)
    Meaning:  The Phase 1 preshared keys do not match. 
    Action:  On both the initiator and responder, re-enter the Preshared Key in the IKE gateway configuration. 
  • Message:  <ip_address> to <ip_address> with cookies <cookie id> and <cookie id> because there were no acceptable Phase 1 proposals.
    Meaning:  The Phase 1 proposals do not match.
    Action: Make sure the parameters for the IKE gateway Phase 1 proposals on both the responder and the initiator match:
    • Authentication Method (Preshare, RSA-signature, or DSA-signature)
    • Diffie-Hellman Group Number (Group 1, 2, or 5)
    • Encryption Algorithm (DES, 3DES, or AES)
    • Hash Algorithm (MD5 or SHA-1)

Step 3. If you have IKE Phase 1 errors other than those listed in Step 2, collect the Site-to-Site logs for both sides of the tunnel and open a case with JTAC - Juniper Technical Assistance Center.  For Site-to-Site environments, consult: KB9229 - How to collect logs and open a case for a problem with a Site-to-Site VPN or for Dial-Up environments, consult: KB9395 - What Information Should Be Collected for a Dial-UP VPN That Won’t Come Up?

Category Description

By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems
By Product » Software » Network Operating Systems » ScreenOS Software

Purpose

Related Articles


Related Links


Related Files