Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IPSec VPN fails with the 'No proposal chosen (14)' error message

0

0

Article ID: KB24642 KB Last Updated: 27 Sep 2019Version: 4.0
Summary:

This article describes the issue of IPSec VPN Phase-1 failure, with the No Proposal Chosen error message, even when the proposals are the same on both sides.

Symptoms:

Often, IPSec VPN Phase-1 fails to come up, even when all the proposals are the same on both sides of the tunnel. Even the tunnel gateways are reachable.

On configuring ike traceoptions by using the following command:

user# set security ike traceoptions flag all
user# set security ike traceoptions file ike-trace

The truncated output of the command is:

user> show log ike-trace

Jun 5 18:40:53 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..16] = 47562836 c90af3dd ..., data[0..46] = 800c0001 00060022 ...
Jun 5 18:40:53 <none>:500 (Responder) <-> 1.1.1.1:500 { 47562836 c90af3dd - b7933542 1a264777 [0] / 0x3c559d6a } Info; Notification data has attribute list
Jun 5 18:40:53 <none>:500 (Responder) <-> 1.1.1.1:500 { 47562836 c90af3dd - b7933542 1a264777 [0] / 0x3c559d6a } Info; Notify message version = 1
Jun 5 18:40:53 <none>:500 (Responder) <-> 1.1.1.1:500 { 47562836 c90af3dd - b7933542 1a264777 [0] / 0x3c559d6a } Info; Error text = Could not find acceptable proposal
Jun 5 18:40:53 <none>:500 (Responder) <-> 1.1.1.1:500 { 47562836 c90af3dd - b7933542 1a264777 [0] / 0x3c559d6a } Info; Offending message id = 0x00000000
Jun 5 18:40:53 <none>:500 (Responder) <-> 1.1.1.1:500 { 47562836 c90af3dd - b7933542 1a264777 [0] / 0x3c559d6a } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it

The above output displays the error as No proposal chosen.

Solution:

This could be attributed to the following:

  • The st0 interface needs to be configured under a specific security zone.

  • Even if the st0 interface is unnumbered, it needs to have the following configuration:
    # set interfaces st0.0 family inet
  • Make sure st0.x interface numbers are used. If you configure st1.0 (instead of st0.1 or st0.2 and so on) then you will get the "no proposal choosen (14)" error and your tunnel will not come up.
     
Modification History:

2019-09-27: Minor, non-technical update.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search