Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to fix the Phase 2 Proxy ID/Traffic-selector mismatch error

0

0

Article ID: KB10124 KB Last Updated: 26 May 2021Version: 10.0
Summary:
 

The "Phase 2 error: Peer proposed traffic-selectors are not in configured range" error is typically caused by a mismatch in configuration between the VPN devices.

The steps listed in this article will assist in correcting the issue on an SRX device.

 

Symptoms:
 

VPN is not active, and the VPN status messages report that the VPN is failing in Phase 2 with the message "Peer proposed traffic-selectors are not in configured range."

Nov  4 12:11:09   kmd[1907]: IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range. IKE Version: 1, VPN: VPN-1 Gateway: Gateway, Local: 192.168.1.1/500, Remote: 192.168.1.2/500, Local IKE-ID: 192.168.1.1, Remote IKE-ID: 192.168.1.2, VR-ID: 0
Nov  4 12:24:09   kmd[2531]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN-1, Peer Proposed traffic-selector local-ip: ipv4(tcp:80,192.168.3.0-192.168.3.255),  Peer Proposed traffic-selector remote-ip: ipv4(tcp,192.168.2.0-192.168.2.255)

 

Cause:
 

Proxy IDs are a validated item during VPN tunnel establishment with the proxy IDs of the VPN peers needing to be an inverse match of one another.

 

Solution:
 

Perform the following to resolve the issue:

  1. Locate the proxy identity sent by the peer in the "Traffic-selector mismatch" message in the VPN status messages.

Consult: KB10097 - [Includes video] How to configure syslog to display VPN status messages.

Nov  4 12:24:09   kmd[2531]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN-1, Peer Proposed traffic-selector local-ip: ipv4(tcp:80,192.168.3.0-192.168.3.255),  Peer Proposed traffic-selector remote-ip: ipv4(tcp,192.168.2.0-192.168.2.255)

The Proxy ID received from the peer is:

  • Remote Proxy ID: 192.168.2.0/24

  • Local Proxy ID: 192.168.3.0/24

  • Service: tcp:80

  1. Is this a route-based VPN or a policy-based VPN? For further assistance, see KB10105 - [SRX] Difference between a policy-based VPN and a route-based VPN.
  • Route-based VPN - Continue with Step 3.

  • Policy-based VPN - Jump to Step 4.

  1. [Route-based VPN] Does the proxy identity received from the peer VPN device match that configured in your SRX device?

Run the following command in Configuration mode:

show security ipsec vpn <vpn name> ike proxy-identity       

root@siteA# show security ipsec vpn <vpn_name> ike proxy-identity
local 192.168.10.0/24;
remote 192.168.2.0/24;
service any;                                 

Note: If no proxy identity has been configured, the system will use a default proxy identity. The default proxy identity is 0.0.0.0 for local and remote devices with a service of "any."   

  • Yes Jump to Step 5.

  • No - Configure the correct local and remote IP addresses by using the proxy identity command:

root# set security ipsec vpn <vpn name> ike proxy-identity local <local IP> remote <remote IP> service <service> 
  1. [Policy-based VPN] Does the proxy identity received from the peer VPN device match that configured in the outbound VPN security policy in your SRX device?

Run the following command, specifying the zones in the outbound direction:

show security policies from-zone <zone> to-zone <zone> policy-name <policy> detail

The detail parameter reports the address-book names and the corresponding IP addresses/subnets based on the configuration.

root@SiteA> show security policies from-zone trust to-zone untrust policy-name internal-net detail
es from-zone trust to-zone untrust detail
Policy: vpn-policy-siteB, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
local-net: 192.168.2.0/24 <-----  Local proxy identity
Destination addresses:
remote-net: 10.10.10.0/24 <-----  Remote proxy identity 
Application: any          <-----  Service
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Tunnel: ike-vpn-siteB, Type: IPSec, Index: 2

Your SRX VPN configuration should be a reverse of the peer’s configuration.

  1. Verify that the "Source address," including the subnet, matches the Local Proxy ID received from the peer device that is identified in step 1.

  2. Verify that the "Destination address," including the subnet, matches the Remote Proxy ID received from the peer device, identified in step 1.

  3. Verify that the "Application" matches the Service received from the peer device, identified in step 1.

Notes:

  • If multiple addresses are configured in the security policy, then the proxy identity is set to 0.0.0.0/0. If multiple applications are configured in the security policy, then the service for the proxy identity is set to Any.

  • For policy-based VPN, the proxy identity cannot be overwritten by manual entry of a proxy identity under the set security ipsec vpn <vpn> ike proxy-identity stanza.

  • No - Correct the security policy or the address book issue.

Consult: KB16553 - SRX Getting Started - Configure Security Policies and KB16621 - SRX Getting Started - Configure Address Books and Applications (Services).

  • Yes - Continue to Step 5.

  1. If the problem is still not resolved, collect logs, IKE traceoptions, and open a case with your technical support representative.

    Consult:

 

Modification History:
  • 2020-01-11: Article checked for accuracy; references to old Junos removed; additional reference links included and updated

  • 2021-05-26: Article updated to reflect current configuration and information

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search