Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] IKE Phase 1 successful, Phase 2 fails due to proxy-id mismatch

0

0

Article ID: KB5049 KB Last Updated: 27 Dec 2017Version: 7.0
Summary:
The Proxy ID on the local and remote VPN device must match for phase 2 to complete the VPN negotiations.  The information below explains the log error  "No policy exist for the Proxy ID" in greater detail.
Symptoms:

Environment:

  • IPsec
  • proxy id
  • Route-based VPN
  • Proxy-ID configured manually
  • Address book entries configured
  • Phase 1 successful

Symptoms & Errors:

  • Phase 2 failing with a Proxy ID mismatch
  • No policy exist for the Proxy ID
  • Get address shows
192.168.168.0/24  192.168.168.0          255.255.255.0     00 
Any               0.0.0.0                0.0.0.0           02  All Addr
Dial-Up VPN       255.255.255.255        255.255.255.255   02  Dial-Up VPN Addr
Homenet           192.168.0.0            255.255.255.0     00 
SBC Net           64.161.25.0            255.255.255.0     00
Solution:
The Firewall Event Log Message will list the Local ID, Remote ID, Protocol Number, and Port Number.  These are the definitions of those fields:
The Local ID is the encryption domain the remote client is trying to connect to.
The Remote ID is the internal address of the remote client that is trying to connect.
<0>,<0> = Indicates the Protocol and Port Number .

Verify that the address book entry is correct and make sure the Proxy ID's match from one gateway to the other (i.e. local proxy id matches with peer's remote proxy id, and vice versa).  See the image.

proxy id

To check the Proxy ID of each policy-based vpn using the CLI, type the following command:

get policy id <number>

Example:

SSG> get policy id 3
name:"none" (id 12), zone Untrust -> Trust,action Tunnel, status "enabled"
src "Dial-Up VPN", dst "10.2.2.0/24", serv "ANY"
Policies on this vpn tunnel: 1
  [255.255.255.255/32, 10.2.2.0/24, 0-65535, 0-65535, 0]
nat off, url filtering : disabled
vpn remote-vpn, nsp tunnel 40000012, sa index 2, sa tunnel id 12
policy flag 00010000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log close, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
proxy id:
  local 10.2.2.0/255.255.255.0, remote 255.255.255.255/255.255.255.255, proto 0, port 0
No Authentication
No User, User Group or Group expression set
SSG->
Modification History:
2017-12-26: Article reviewed for accuracy. Added ScreenOS tag to the title. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search