Knowledge Search


×
 

Event Log Error Message: No Policy Exists for the Proxy ID

  [KB6744] Show Article Properties


Summary:
Event Log Error Message: No Policy Exists for the Proxy ID
Symptoms:

Symptoms & Errors:

  • IKE phase 1 negotiations completed
  • IKE Phase 2 negotiations fail

 

Solution:

In the ScreenOS event log, during IKE Phase 2 negotiations,  the following error message indicates a problem with the address or service book entries that are used in the P2 Proxy ID:

No Policy Exists for the proxy id

Basically, the Proxy ID (local network, remote network, service port, etc.) used must be a mirror image between the local and remote IKE VPN endpoints.

For more information on how to troubleshoot, refer to the corresponding error message in the following article:
KB9231 - How to Analyze IKE Phase 2 Messages in the Event Logs


Troubleshooting option:

By default, the CLI command "set ike policy-checking" is enabled which means that the address and service book entries that are passed in the Proxy ID MUST match.   AS A TEST, you can disable this option, by entering the command "unset ike policy-checking", which will allow the Proxy ID to be completed WITHOUT being "checked" against the Proxy ID (local network, remote network, service port, etc.) used in the VPN policy.  Then attempt to reconnect the VPN.   If it connects, it confirms there is a Proxy-ID config error.  So, re-enable the option with the command "set ike policy-checking", and refer to the 'action' for the corresponding error in KB9231 to correct the problem.

Note:  It is recommended that the "policy-checking" feature be enabled, as it provides for another level of security. 

Note:  With policy-checking disabled (unset ike policy-checking) ONLY one policy can be configured for this ike gateway.   If multiple policies per IKE gateway are required, the "policy-checking" CLI command should NOT be disabled.  Otherwise, the following warning message would be displayed:

"If more than one policy is desired per Gateway, policy checking must first be enabled by executing the "set ike policy checking" command."

 

Related Links: