Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to Analyze IKE Phase 2 Messages in the Event Logs



Article ID: KB9231 KB Last Updated: 29 May 2019Version: 7.0
If the Event log is reporting Internet Key Exchange (IKE) Phase 2 messages, this procedure can help determine the reason the VPN is not establishing Phase 2.
An IKE VPN Tunnel is not coming up; identify and analyze Phase 2 messages in the Event Logs that could help determine why.

Use these steps to determine the IKE Phase 2 error messages and what to do to correct them.  For assistance in finding the IKE errors in the event logs, see KB4426 - How do I Find the VPN Entry in the Event Log?

  1. Is there a message reporting Phase 2 Complete for the VPN in question? 
    Message:  IKE <> Phase 2 msg ID <8046e14d>: Completed negotiations with SPI <e37791d8>, tunnel ID <1>, and lifetime <3600> sec/<0> KB. 
         Where is the IP address of the remote firewall in question.
  2. The most common Phase 2 errors are:
    • Message: IKE <ip_addr> Received notify message for DOI <1> <14> < NO_PROPOSAL_CHOSEN >
      Message: IKE <ip_addr> Phase 2: Rejected proposals from peer, Negotiations failed.
      Message: Rejected an IKE packet on <interface> from .....because there were no acceptable  Phase 2  proposals
      Meaning: The NetScreen device did not accept any of the IKE Phase 2 proposals that were sent by the specified IKE peer.

      Action: Check the local VPN configuration. Either change the local configuration to accept at least one of the remote peer’s Phase 2 proposals, or contact the remote peer’s administrator and arrange for the IKE configurations at both ends of the tunnel to use at least one mutually acceptable Phase 2 proposal.
      For assistance, see KB6168 - Received Notify Message for DOI <No_PROPOSAL_CHOSEN>

      You can also use "debug ike detail" to check the errors during VPN negotiation.

      debug ike detail:  is used to view the IKE Phase 1 and Phase 2 negotiations. Most IKE issues can be observed when viewing the event log.
      However, when troubleshooting a VPN with another vendor, or if the the remote peer device is not accessible, debug IKE detail could provide
      information on how the other VPN has been configured.

      Procedure to run “debug ike detail":
      1. undebug all                           (to turn off any debugs currently enabled)
      2. set db size 4096                       (to increase debug buffer)
      3. clear db                               (to clear debug buffer)
      4. set sa-filter <ip-address>            (where ip-address = rempte peer gateway ip address)
      5. debug ike detail                       (Initiate traffic for the remote side peer)
      6. undebug all                            (to turn off debugs enabled, after the traffic failed)
      7. get db st                              (to get the output)

      You can check the proposals sent by remote peer and accordingly modify the proposals on the local side.

    • Message: IKE <ip_addr> Phase 2: No policy exists for the proxy ID received: local ID (<ip_addr>/<mask>, <protocol>, <port_num>) remote ID (<ip_addr>/<mask>, <protocol>, <port_num>). 
      Meaning:  No policy found matching the specified attributes.

      Action:  The proxy-id must be an exact "reverse" match.  For example, the address book entries must have the same number of netmask bits, the list of services must match as well as the port numbers. If any of these fields don't match, the Phase 2 will fail. Check the address and/or service book entries. 

      To help troubleshoot a Proxy ID error, see one of the following articles:

    • Message: IKE <ip_addr>: Phase 2 negotiation request is already in the task list   
      Meaning: The IKE module in the local NetScreen device, when attempting to add a Phase 2 negotiation task to its task list, discovered that the list already contained an identical task for the specified peer.
      When beginning Phase 1 negotiations, the NetScreen device adds the tasks that the Phase 1 security association (SA) must do to its Phase 1 task list. One such task is to perform Phase 2 negotiations. If Phase 1 negotiations progress too slowly, local traffic might initiate another Phase 2 SA request to the IKE module. If it does initiate another Phase 2 request to the IKE module, before the NetScreen device adds the Phase 2 task to its task list, it will discover that an identical task is already in the list and refrain from adding the duplicate.

      Action: Check if the IKE Phase 1 negotiations with that peer have successfully completed.

      If you are receiving this message, see Step 6 of KB9221 - How to Troubleshoot a Site-to-Site VPN Tunnel that won't come up.
  3. If you have IKE Phase 2 errors other than those listed in Step 2, consult the Message Log Reference Guide for your ScreenOS version.  Additionally, you can also check the event messages or VPN-related messages using the commands "get event" and "get log event type 536".

  4. For additional assistance, collect the Site-to-Site logs for both sides of the tunnel and open a Service Request (aka case) with your technical support representative.  See KB9229 - How to collect logs and open a case for a problem with a Site-to-Site VPN.


Modification History:
2019-05-22: Content reviewed for accuracy

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search