Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to Analyze IKE Phase 1 Messages in the Event Logs

0

0

Article ID: KB9238 KB Last Updated: 24 Aug 2011Version: 5.0
Summary:
If the Event log is reporting IKE Phase 1 messages, this procedure can help determine the reason the VPN is not establishing Phase 1.
Symptoms:
An IKE VPN Tunnel is not coming up. There may be Phase 1 messages in the Event Logs that could help determine why.
Solution:

Use the following steps to identify the IKE Phase 1 error messages and what to do to correct them:  For assistance in finding the IKE errors in the event logs, see KB4426 - How do I Find the VPN Entry in the Event Log? 

NOTE:  You can troubleshoot a VPN problem more accurately and faster by reviewing the event log messages on the responder firewall.  The responder is the "receiver" side of the VPN that is being pinged, receiving the tunnel set up requests, or receiving the tunneled traffic.  The initiator is the side of the VPN that generates the ping or traffic.

Step 1.  Is there a message reporting: Phase 1 Complete for the VPN in question? 

Example:  IKE <1.1.1.1> Phase 1: Completed { Aggressive | Main } mode negotiations with a <number>-second lifetime.

Step 2. The most common Phase 1 errors are:

  • Message:  IKE <ip_addr> Phase 1: Rejected an initial Phase 1 packet from an unrecognized peer gateway. 
    Meaning:  The responder did not recognize the incoming request as originating from a valid gateway peer. 
    Action:      On the responder, confirm the following IKE gateway configuration settings are correct:
    • The Static IP Address specified for the Remote Gateway is correct.
    • The Peer ID specified for the Remote Gateway is correct.
    • The outgoing interface is correct.  (Unfortunately, you cannot change the IKE Gateway's outgoing interface.  Create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that it matches the new gateway.)
  • Message:  IKE <ip_addr> Phase 1: Rejected an IKE packet on ethernet1/2 from <ip_addr>:<port> to <ip_addr>:<port> with cookies <cookie>  and <cookie> because Phase 1 negotiations failed.   (The preshared keys might not match.)
    Meaning:  The Phase 1 preshared keys do not match. 
    Action:  On both the initiator and responder, re-enter the Preshared Key in the IKE gateway configuration. 
  • Message:  <ip_address> to <ip_address> with cookies <cookie id> and <cookie id> because there were no acceptable Phase 1 proposals.
    Meaning:  The Phase 1 proposals do not match.
    Action: Make sure the parameters for the IKE gateway Phase 1 proposals on both the responder and the initiator match:
    • Authentication Method (Preshare, RSA-signature, or DSA-signature)
    • Diffie-Hellman Group Number (Group 1, 2, or 5)
    • Encryption Algorithm (DES, 3DES, or AES)
    • Hash Algorithm (MD5 or SHA-1)

Step 3. If you have IKE Phase 1 errors other than those listed in Step 2, collect the Site-to-Site logs for both sides of the tunnel and open a case with JTAC - Juniper Technical Assistance Center.  For Site-to-Site environments, consult: KB9229 - How to collect logs and open a case for a problem with a Site-to-Site VPN or for Dial-Up environments, consult: KB9395 - What Information Should Be Collected for a Dial-UP VPN That Won’t Come Up?

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search