Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] How to analyze IKE Phase 2 VPN status messages

0

0

Article ID: KB10099 KB Last Updated: 21 Sep 2015Version: 10.0
Summary:

This article shows you how to review VPN status messages related to IKE Phase 2 not establishing.

Symptoms:
Solution:

Troubleshooting IKE Phase 2 problems is best handled by reviewing VPN status messages on the responder firewall. The responder is the "receiver" side of the VPN that is receiving the tunnel setup requests. The initiator is the side of the VPN that sends the initial tunnel setup requests.


Step 1.  Configure a new syslog file, kmd-logs, to capture relevant VPN status logs on the responder firewall.

See: KB10097 - How to configure syslog to display VPN status messages

Don't forget to attempt to bring the VPN tunnel up again, so that the messages are captured in kmd-logs.

Step 2.  Run the command show log kmd-logs, and look for Phase 2 errors, such as these:

Note: The messages below are for Junos OS prior to Release 12.1X44. For Junos OS Release 12.1X44 and later, see KB30547:IKE Phase 2 VPN status messages in 12.1X44 and later releases.

  • Message:
    Jul 10 16:14:30 210-2 kmd[52472]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.10.0/24), p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=10.10.10.0/24)] for local ip: 2.2.2.1, remote peer ip:2.2.2.2
    Meaning: 
    Proxy identity of peer does not match local proxy identity. 

    Action: 
    The proxy-id must be an exact "reverse" match of peer's configured proxy-id. See: KB10124 - How to fix the Phase 2 error: Failed to match the peer proxy IDs  

  • Message:  
    Jul 16 21:14:20 kmd[1456]: IKE Phase-2 Failure: Quick mode - no proposal chosen [spi=cf0f6152, src_ip=4.4.4.4, dst_ip=3.3.3.2]
    Jul 16 21:14:20 kmd[1456]: KMD_VPN_PV_PHASE2: IKE Phase-2 Failure: Quick mode - no proposal chosen [spi=cf0f6152, src_ip=4.4.4.4, dst_ip=3.3.3.2]
    Jul 16 21:14:20 kmd[1456]: IKE Phase-2: Negotiations failed. Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2

    Meaning:
    The Junos device did not accept any of the IKE Phase 2 proposals that the specified IKE peer sent.

    Action:
    Verify the local Phase 2 VPN configuration elements.  The Phase 2 proposal elements include the following:
  • Authentication algorithm
  • Encryption algorithm
  • Lifetime kilobytes
  • Lifetime seconds
  • Protocol
  • Perfect Forward Secrecy
Either change the local configuration to accept at least one of the remote peer’s Phase 2 proposals, or contact the remote peer’s admin and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.

  • If you are unable to locate any Phase 2 messages, continue to Step 3.


Step 3.  Review the Phase 2 proposals using show security ipsec, and confirm that configuration matches the Phase 2 proposals configured by the peer.

root@srx210# show security ipsec
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-phase2-proposal; } vpn ike-vpn-srx1 { vpn-monitor; ike { gateway gw-srx1; ipsec-policy ipsec-phase2-policy; } }


Step 4.  Enable 'per tunnel debug' detailed logging (traceoptions), and analyze the output.

See: KB19943 - How to enable VPN (IKE/IPsec) traceoptions for only specific SAs (Security Associations)



Step 5.  If still not resolved, collect logs and open a case with your technical support representative. 

See:
Logs: KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search