Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] How to fix the Phase 2 error: Failed to match the peer proxy ids

0

0

Article ID: KB10124 KB Last Updated: 25 Aug 2014Version: 9.0
Summary:

The Phase 2 error: Failed to match the peer proxy ids is typically caused by a mismatch in the configuration between the VPN devices.  The steps listed below will assist in correcting the issue on an SRX or J Series device.


Symptoms:

VPN is not active, and the VPN Status messages report that the VPN is failing in Phase 2 with the message "Failed to match the peer proxy ids":

Jul 10 16:14:30 210-2 kmd[52472]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.10.0/24), p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=10.10.10.0/24)] for local ip: 2.2.2.1, remote peer ip:2.2.2.2


Cause:

Proxy-IDs are a validated item during VPN tunnel establishment with the proxy-ids of the VPN peers needing to be an inverse match of each other.


Solution:

Step 1.  Locate the Proxy Identity sent by the peer in the ‘Failed to match the peer proxy IDs’ message in the VPN Status messages.
         Consult:  
How to configure syslog to display VPN status messages

Jul 10 16:14:30 210-2 kmd[52472]: IKE Phase-2: Failed to match the peer proxy IDs
[p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.10.0/24),
p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=10.10.10.0/24)] for local ip: 2.2.2.1, remote peer ip:
2.2.2.2

The Proxy Identity comprises 3 components: Remote Proxy ID (IP/Netmask), Local Proxy ID (IP/Netmask) and Service. Based on the output above, the Proxy Identity received from the remote peer 2.2.2.2 is:

  • Remote Proxy ID: 192.16.10.0/24
  • Local Proxy ID: 10.10.10.0/24
  • Service: any:0    
                

Step 2.  Is this a Route-based VPN or Policy-based VPN?  For further assistance, see KB10105 - Policy-Based VPN vs. Route-Based VPN. Which one do I have configured?
  • Route-based VPN - Continue with Step 3
  • Policy-based VPN - Jump to Step 4

Step 3.  [Route based VPN] Does the Proxy Identity received from the peer VPN device match what is configured on your SRX?

       Run the command:

show security ipsec vpn <vpn name> ike proxy-identity:       

root@siteA# show security ipsec vpn <vpn_name> ike proxy-identity
local 192.168.10.0/24;
remote 192.168.2.0/24;
service any;                                 

Note: If no proxy-identity has been configured, the system will use a default proxy-identity. The default proxy-identity is 0.0.0.0 for local and remote and a service of 'any'     


  • No - Configure the correct local and remote IP addresses using the proxy-identity command:
    root# set security ipsec vpn <vpn name> ike proxy-identity local <local IP> remote <remote IP> service <service>

  • Yes – Jump to Step 5


Step 4.  [Policy-based VPN] Does the Proxy Identity received from the peer VPN device match what is configured in the outbound VPN security policy on your SRX?

       Run the following command, specifying the zones in the outbound direction:

show security policies from-zone <zone> to-zone <zone> policy-name <policy> detail

The detail parameter reports the address-book names and corresponding IP address/subnet based on configuration.

root@SiteA> show security policies from-zone trust to-zone untrust policy-name internal-net detail     (Deepika)
es from-zone trust to-zone untrust detail
Policy: vpn-policy-siteB, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
local-net: 192.168.2.0/24 <-----  Local proxy identity
Destination addresses:
remote-net: 10.10.10.0/24
<-----  Remote proxy identity
Application: any          <-----  Service
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Tunnel: ike-vpn-siteB, Type: IPSec, Index: 2

           Your SRX VPN configuration should be a reverse of the peer’s configuration.

a. Verify that the 'Source address', including subnet, matches the Local Proxy ID received from the peer device, identified in step 1.
b. Verify that the 'Destination address', including subnet, matches the Remote Proxy ID received from the peer device, identified in step 1.
c. Verify that the 'Application' matches the Service received from the peer device, identified in step 1.

Note: If multiple addresses are configured in the security policy, then the proxy-identity is set to 0.0.0.0/0. If multiple applications are configured in the security policy, then the service for the proxy identity is set to Any.
Note: For policy-based VPN proxy-identity can not be overwritten by manual entry of a proxy-identity under 'set security ipsec vpn <vpn> ike proxy-identity' stanza

  • No   - Correct the security policy or the address book issue.
                     Consult: KB16553 - SRX Getting Started - Configure Security Policies, and KB16621 - SRX Getting Started - Configure Address Books and Applications (Services).
  • Yes - Continue to Step 5

Step 5.  If still not resolved, collect logs and IKE traceoptions, and open a case with your technical support representative.

Consult:
     Logs: KB21781 - [SRX] Data Collection Checklist.  See the IPsec VPN Policy-based or Route-based sections.
     IKE traceoptions: KB19943 – [J/SRX] How to enable IKE traceoptions for only specific security associations


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search