Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Received a notification message for 'DOI 0 8 INVALID-FLAGS' in the VPN negotiation

0

0

Article ID: KB24195 KB Last Updated: 21 Jun 2012Version: 1.0
Summary:
This article describes the issue of VPN negotiation failure with the invalid flags notification.
Symptoms:
  • Typically, this error occurs when the remote end is a watch guard device or a device, which does not support ISAKMP header Flags.

  • When the remote end (watch guard) is initiating the negotiation, the VPN comes up, as the remote end sends the ISAKMP header without flags; so the firewall, as a receiver, will accept the proposal without flags.

  • But when Juniper is initiating, it sets the flag in the header and the remote end ( watch guard) will show it as a unknown packet; as per the following logs:
    HASH Payload
    0: 0b Next Payload - ISA_NOTIFY
    1: 00 Reserved
    2: 00 14 Payload Length is 20
    4: 16 58 c4 b9 d5 45 f6 ec b1 7c b4 6c a9 35 1c 8e .X...E...|.l.5..
    NOTIFY Payload
    20: 00 Next Payload - NONE
    21: 00 Reserved
    22: 00 1c Payload Length is 28
    24: 00 00 00 00 DOI - unknown
    28: 01 Protocol ID
    29: 10 SPI Size = 16
    30: 00 08 Notify Message - INVALID-FLAGS
    32: 0a 8d 95 3d 60 e6 1d fe 3f 77 bf fc 84 1c b1 75 SPIs
Cause:
By default, as per RFC, the following flags are part of the ISAKMP header:

  • no encryption

  • no commit

  • no authentication

When any of the above flags is set by the Juniper device and the remote end does not support it, the error message is generated.
Solution:
The configuration on the Juniper firewall:
set ike initiator-set-commit
set ike responder-set-commit
When the above configuration is set on the Juniper firewall, it initiates the traffic and the commit bit will be set in the ISAKMP header, when sending the first message in quick mode.  If the other end is a non Juniper device, which does not support flags, then it will reject the message with the Invalid Flags message.

So, if the remote peer does not support it, then it is recommended to unset the commands; so that the Juniper firewall does not set the commit bit and the remote end will accept the messages.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search