How to View and Analyze Messages in the NetScreen-Remote VPN Client Log Viewer (KB ID: KB9396)
| Article ID: | KB9396 |
|---|---|
| Former Article ID: | |
| Published: | Nov 19, 2007 |
| Last Modified: | Nov 19, 2007 |
| Visible By: | Employee, PTAC, Partner, Customer, Public |
Back to Previous Page | Knowledge Base Home
Article URL
Synopsis
The NetScreen-Remote VPN Client Log Viewer messages can help determine the cause of the problem when the tunnel is not coming up. This article will assist you in viewing and analyzing the entries in the Log Viewer.
Problem
After following the steps in KB9224 - How to Troubleshoot a Dial-Up VPN that will not come up, or KB10089 - How to Troubleshoot a Dial-Up VPN that will not come active in JUNOS-ES, I need help analyzing the messages in the NetScreen-Remote Client Log Viewer.
Solution
To View the Log Viewer in the NetScreen Remote Client:
- Right click on the NetScreen Remote Client icon in the Windows System Tray.
- Left click on "Log Viewer..." This will display the Log Viewer window.
If there are no messages in the Log Viewer, see KB9452 - Dial-Up VPN Won't Come Up and there are No Messages in the Logs for NetScreen/SSG/ISG product running ScreenOS,
or KB10102 - How to troubleshoot a Dial-Up VPN that won't come up and there are no messages in the Kmd log in JUNOS-ES for J-Series device running JUNOS Enhanced Services.
A successful negotiation would appear similar to the following:
Pre-share - Initiating IKE Phase 1 (IP ADDR= IPSec peer)
Pre-share - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID)
Pre-share - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH)
Pre-share - SENDING>>>> ISAKMP OAK AG *(HASH)
Pre-share - Established IKE SA
MY COOKIE 73 9c 76 19 4f 5e 35 c8
HIS COOKIE e9 94 9c 82 64 b2 fa 44
Pre-share - Initiating IKE Phase 2 with Client IDs (message id: 99F08C75)
Initiator = IP ADDR= your_address, prot = 0 port = 0
Responder = IP ADDR= IPSec peer, prot = 0 port = 0
Pre-share - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
Pre-share - RECEIVED<<< ISAKMP OAK QM *(HASH, SA,
NOTIFY:STATUS_RESP_LIFETIME,
NON, ID, ID)
Pre-share - SENDING>>>> ISAKMP OAK QM *(HASH)
Pre-share - RECEIVED<<< ISAKMP OAK QM *(HASH,
NOTIFY:NOTIFY_CONNECTED)
Pre-share - Loading IPSec SA (Message ID = 99F08C75 OUTBOUND SPI =
189 INBOUND SPI = BA78A2CD)
If negotiations were not successful, review the following list of the more common error messages:
- "Phase 1 Negotiation message not received"
or
"Exceeded 3 IKE SA Negotiations"
or
"Phase 1: Discarded a second initial packet which arrived 5 seconds after the first"
For assistance in resolving these messages, see KB6193 - Log Viewer Shows IKE Phase 1 Negotiation Message not Received.
- "Inbound packet failed authentication"
For assistance in resolving this message, see KB5692 - What does the Log Viewer Message 'inbound packet failed authentication' Mean?
- "Hash payload incorrect"
For assistance in resolving this message, see KB6258 - Hash Payload Incorrect on Log Viewer in NetScreen-Remote
- "Cannot match Policy entry for received Phase 1 ID"
For assistance in resolving this message, see KB5514 - Phase 1 Negotiations Fail - Cannot Match Policy Entry for Received Phase 1 ID.
- "Phase 1 VPN negotiation is terminated by err=RASSTATUS_GENERAL_FAILURE"
For assistance in resolving this message, see KB7110 - RASSTATUS_GENERAL_FAILURE Error Occurs While Using Remote Dial-Up VPN with the NS-Remote.
For other errors not listed, see Troubleshooting NS-Remote from the Log Viewer (.pdf).
If the above information does not resolve the problem, return to Step 6 in KB9224 (ScreenOS) or KB10089 ( JUNOS-ES).
Category Description
By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN » NetScreen-Remote VPN Client
By Product » Software » Network Operating Systems
By Product » Software » Network Operating Systems » ScreenOS Software
Purpose
Troubleshooting