Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] Possible solutions for Phase 1: Retry limit reached in JUNOS-ES.

0

0

Article ID: KB10127 KB Last Updated: 05 Mar 2017Version: 8.0
Summary:
VPN won't come up; It is failing in Phase 1, with Retry limit reached in JUNOS Enhanced Services (JUNOS-ES) Kmd Log.
Symptoms:
Assumptions
  • You are on the responder firewall, and there are no Phase 2 messages in the Kmd log.
  • You are on the responder firewall, and the Phase 1 message in the Kmd log is 'Phase 1: Retry limit reached'.  If you have other Phase 1 errors, please refer to KB10101 - How to Analyze IKE Phase 1 Messages in the Event Logs.
  • You are on the initiator firewall, and there are no messages in the event log for the responder peer.
    Note:  It is always better to troubleshoot VPN connection problems by reviewing the messages in the responder side first.

Terminology:

  • The responder is the 'receiver' side of the VPN that is receiving tunnel setup requests. 
  • The initiator is the side of the VPN that sends the first setup message for the tunnel setup.
Cause:

Solution:
Use the following steps to determine what to do when you receive 'Phase 1: Retry limit reached' messages in the Kmd log.

Step One  From the Juniper VPN device, can you ping the IP address of the Remote VPN Gateway OR any host on the Internet?

Step 2  Is the Preshared Key specified in the IKE policy configuration the same on both the initiator and the responder?

  • Yes - Continue with Step 3
  • No  - In the IKE policy configuration, re-enter the Preshared Key on both the initiator and the responder and then attempt to bring up the VPN again. 

Step 3   Does the IP address specified in the IKE gateway configuration match the public IP address of the Remote Gateway?

  • Yes -Continue with Step 4
  • No - In the IKE gateway configuration, specify the correct IP address for the Remote Gateway, and then attempt to bring up the VPN again.

Step 4  Does the IKE gateway's outgoing interface match the route to the destination? 

Step 5  Are there any routers or firewalls in the path that are blocking IPSec which uses IP protocol 50,  UDP port 500 and 4500 (if using NAT-Traversal)? See - KB17953 - NAT Traversal (NAT-T) supported scenarios

  • Yes - Work with the admin of that firewall or router to allow IPSec through for the IP address of your firewall and the Remote IP gateway.
  • No -  Continue with Step 6  

Step 6  If the above steps do not help you resolve the 'Phase 1: Retransmission Limit has been reached' messages, collect the Site-to-Site logs for both sides of the tunnel and open a case with JTAC - Juniper Technical Assistance Center.  See KB21781 - [SRX] Data Collection Reference Checklist - Logs/data to collect for troubleshooting.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search