Knowledge Search


×
 

[J/SRX] How to analyze IKE Phase 2 VPN status messages

  [KB10099] Show Article Properties


Summary:

This article shows you how to review VPN status messages related to IKE Phase 2 not establishing.

Symptoms:
Solution:

Troubleshooting IKE Phase 2 problems is best handled by reviewing VPN status messages on the responder firewall. The responder is the "receiver" side of the VPN that is receiving the tunnel setup requests. The initiator is the side of the VPN that sends the initial tunnel setup requests.


Step 1.  Configure a new syslog file, kmd-logs, to capture relevant VPN status logs on the responder firewall.

See: KB10097 - How to configure syslog to display VPN status messages

Don't forget to attempt to bring the VPN tunnel up again, so that the messages are captured in kmd-logs.

Step 2.  Run the command show log kmd-logs, and look for Phase 2 errors, such as these:

Note: The messages below are for Junos OS prior to Release 12.1X44. For Junos OS Release 12.1X44 and later, see KB30547:IKE Phase 2 VPN status messages in 12.1X44 and later releases.

  • Message:
    Jul 10 16:14:30 210-2 kmd[52472]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.10.0/24), p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=10.10.10.0/24)] for local ip: 2.2.2.1, remote peer ip:2.2.2.2
    Meaning: 
    Proxy identity of peer does not match local proxy identity. 

    Action: 
    The proxy-id must be an exact "reverse" match of peer's configured proxy-id. See: KB10124 - How to fix the Phase 2 error: Failed to match the peer proxy IDs  

  • Message:  
    Jul 16 21:14:20 kmd[1456]: IKE Phase-2 Failure: Quick mode - no proposal chosen [spi=cf0f6152, src_ip=4.4.4.4, dst_ip=3.3.3.2]
    Jul 16 21:14:20 kmd[1456]: KMD_VPN_PV_PHASE2: IKE Phase-2 Failure: Quick mode - no proposal chosen [spi=cf0f6152, src_ip=4.4.4.4, dst_ip=3.3.3.2]
    Jul 16 21:14:20 kmd[1456]: IKE Phase-2: Negotiations failed. Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2

    Meaning:
    The Junos device did not accept any of the IKE Phase 2 proposals that the specified IKE peer sent.

    Action:
    Verify the local Phase 2 VPN configuration elements.  The Phase 2 proposal elements include the following:
  • Authentication algorithm
  • Encryption algorithm
  • Lifetime kilobytes
  • Lifetime seconds
  • Protocol
  • Perfect Forward Secrecy
Either change the local configuration to accept at least one of the remote peer’s Phase 2 proposals, or contact the remote peer’s admin and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.

  • If you are unable to locate any Phase 2 messages, continue to Step 3.


Step 3.  Review the Phase 2 proposals using show security ipsec, and confirm that configuration matches the Phase 2 proposals configured by the peer.

root@srx210# show security ipsec
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-phase2-proposal; } vpn ike-vpn-srx1 { vpn-monitor; ike { gateway gw-srx1; ipsec-policy ipsec-phase2-policy; } }


Step 4.  Enable 'per tunnel debug' detailed logging (traceoptions), and analyze the output.

See: KB19943 - How to enable VPN (IKE/IPsec) traceoptions for only specific SAs (Security Associations)



Step 5.  If still not resolved, collect logs and open a case with your technical support representative. 

See:
Logs: KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting

Related Links: