Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How Do I Resolve Intermittent VPN Connectivity Problems?

0

0

Article ID: KB5230 KB Last Updated: 22 Jul 2010Version: 5.0
Summary:
How Do I Resolve Intermittent VPN Connectivity Problems?
Symptoms:
Environment:
  • Pre-shared Internet Key Exchange (IKE)
  • Virtual Private Network (VPN)
Symptoms & Errors:
  • Virtual Private Network (VPN) not working
  • IKE Phase 2 fails
  • Log Messages:
    • No policy exists for the proxy ID: local(10.2.0.126/255.255.255.255/0/0) remote(192.168.1.200/255.255.255.255/0/0)
    • ## protocol matched expected<0>
    • ## local address matched
    • ## remote address NOT matched
Solution:

Note: This article applies to ScreenOS 4.0 and higher.

VPN connectivity problems are sometimes caused by a mismatch between the policies on the two NetScreen devices.  Two methods for determining if this is the issue are:

  • Check the Security Associations (SAs) on your NetScreen device.
  • Check the system debug output for a 'No policy exists for the proxy ID received' entry.

 

To check the SAs on your NetScreen device, perform the following steps:

Step oneOpen the Command Line Interface (CLI). For more information, go to Accessing the Command Line Interface Using Telnet.

Step twoFrom the CLI, enter the following command, and then press ENTER:
get sa
Step threeLocate the IKE gateway. If there are two active SA pairs and both pairs have a negative number (-1) for the policy ID (PID), it is likely that you have a policy mismatch. An example of this output is displayed below:
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< 0.0.0.0 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
00000002> 0.0.0.0 500 esp:3des/sha1 00000000 expir unlim I/I 9 0
00000008< 12.12.12.12 500 esp:3des/sha1 00000000 expir unlim I/I 11 0
00000008> 12.12.12.12 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
Step fourTo resolve a policy mis-match, reconfigure the VPN policies on the NetScreen devices. For more information, go to Configuring a Policy Based LAN to LAN VPN When Both Sides Have Static IPs Using Preshared Keys.

To check the system debug output for a 'No policy exists for the proxy ID received' entry, perform the following steps:

Step oneOpen the Command Line Interface (CLI). For more information, go to Accessing the Command Line Interface Using Telnet.

Step twoFrom the CLI, enter the following command, and then press ENTER:
debug ike detail
Step threeInitiate a VPN negotiation.

Step fourFrom the CLI, enter the following commands, and then press ENTER.
undebug all
get dbuf stream
Step fiveExamine the debug output for a 'No policy exists for the proxy ID received' entry.  An example of this type of entry is displayed below:
##2001-08-03 15:30:30 system-debugging: IKE<10.10.12.253> Phase 2: No policy exists for the proxy ID received: local ID (<172.16.10.0>/<255.255.255.0>,<0>,<0>) remote ID (<10.251.7.53>/<255.255.255.255>,<0>,<0>)
To resolve a policy mismatch, reconfigure the VPN policies on the NetScreen devices. For more information, go to Configuring a Policy Based LAN to LAN VPN When Both Sides Have Static IPs Using Preshared Keys.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search