Knowledge Search


×
 

IKE Phase 1 successful, Phase 2 fails due to proxy-id mismatch

  [KB5049] Show Article Properties


Summary:
The Proxy ID on the local and remote VPN device must match for phase 2 to complete the VPN negotiations.  The information below explains the log error  "No policy exist for the Proxy ID" in greater detail.
Symptoms:

Environment:

  • IPsec
  • proxy id
  • Route-based VPN
  • Proxy-ID configured manually
  • Address book entries configured
  • Phase 1 successful

Symptoms & Errors:

  • Phase 2 failing with a Proxy ID mismatch
  • No policy exist for the Proxy ID
  • Get address shows

192.168.168.0/24  192.168.168.0          255.255.255.0     00 
Any               0.0.0.0                0.0.0.0           02  All Addr
Dial-Up VPN       255.255.255.255        255.255.255.255   02  Dial-Up VPN Addr
Homenet           192.168.0.0            255.255.255.0     00 
SBC Net           64.161.25.0            255.255.255.0     00

Solution:
The Firewall Event Log Message will list the Local ID, Remote ID, Protocol Number, and Port Number.  These are the definitions of those fields:
The Local ID is the encryption domain the remote client is trying to connect to.
The Remote ID is the internal address of the remote client that is trying to connect.
<0>,<0> = Indicates the Protocol and Port Number .

Verify that the address book entry is correct and make sure the Proxy ID's match from one gateway to the other (i.e. local proxy id matches with peer's remote proxy id, and vice versa).  See the image.

proxy id

To check the Proxy ID of each policy-based vpn using the CLI, type the following command:

get policy id <number>

Example:

spingineer-> get policy id 3
name:"none" (id 12), zone Untrust -> Trust,action Tunnel, status "enabled"
src "Dial-Up VPN", dst "10.2.2.0/24", serv "ANY"
Policies on this vpn tunnel: 1
  [255.255.255.255/32, 10.2.2.0/24, 0-65535, 0-65535, 0]
nat off, url filtering : disabled
vpn remote-vpn, nsp tunnel 40000012, sa index 2, sa tunnel id 12
policy flag 00010000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log close, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
proxy id:
  local 10.2.2.0/255.255.255.0, remote 255.255.255.255/255.255.255.255, proto 0, port 0
No Authentication
No User, User Group or Group expression set
spingineer->

Related Links: