Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to Verify the Policy-Based Site-to-Site VPN Policy Settings Are Correct

0

0

Article ID: KB9516 KB Last Updated: 30 Aug 2010Version: 3.0
Summary:

This article explains how to verify the Policy-Based Site-to-Site VPN policy settings are correct.

Symptoms:

A Policy-Based Site-to-Site VPN has been configured, but, it is not passing traffic.  There is a message in the event log stating:

Phase 2: No policy exists for the proxy ID...

Solution:

The Firewall's Event Log Message will list the Local ID, Remote ID, Protocol Number, and Port Number. 

log msg

  • The Local ID is the encryption domain the remote firewall is trying to connect.
  • The Remote ID is the internal address of the remote firewall that is trying to connect.
  • <0>, <0> = indicates the Protocol and Port Number the remote firewall is sending for both the Local ID and the Remote ID. 

To verify the addresses in the policies are correct, compare which fields in the error codes to the policy. See example below.

log msg

In this example, Paris is the name of the local  firewall and Tokyo is the remote firewall.  Tokyo is initiating the traffic, which is causing the Phase 2 error message to appear in the Paris firewall. In this sample image, all of the addresses match. In actuality, one or more incorrect address could cause this error  If the addresses appear to be correct, check the Address Book entries to make sure they are correct there.  The name of the address book entry might be correct, but, there could be an error in the actual IP address and/or subnet mask.

Another possible cause is that one or more policy for the VPN is pointing to the wrong tunnel.  This too will cause the "Phase 2: Proxy ID mismatch error".

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search