SRX

last person joined: 10 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  ike SA unusable and ike No proposal chosen

    Posted 01-29-2016 08:56

    Hello, i am trying new Juniper in my branch-office and i can't understad whats wrong (it's 5 branch with ipsev vpn, so i was expecting that everything will smoothly).

    I tried to set up to ipsec tunnels, and got two diffrent errors.

    1st: 

    Jan 29 20:43:07  Moscow-NO kmd[2046]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ipsec-
vpn-cfgr Gateway: ike-gate-cfgr, Local: 83.234.107.110/500, Remote: 217.12.253.226/500, Local IKE-ID: Not-Availab
le, Remote IKE-ID: Not-Available, VR-ID: 0

    2nd: 

    Jan 29 20:43:13  Moscow-NO kmd[2046]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN:
vpn-no-pod Gateway: gw-no-pod, Local: 83.234.107.110/500, Remote: 62.176.7.74/500, Local IKE-ID: Not-Available, 
Remote IKE-ID: Not-Available, VR-ID: 0

    So, new one can't connect to any on existing routers, but provides diffrent errors for them...

    on each host is done...

    set security zones security-zone untrust host-inbound-traffic system-services ike

    Config on new host:

    ike
    traceoptions {
    file ike-debug;
    flag all;
}
policy ike-policy-cfgr {
    mode main;
    proposal-set standard;
    pre-shared-key ascii-text "123"; ## SECRET-DATA
}
policy policy-no-pod {
    mode main;
    proposal-set standard;
    pre-shared-key ascii-text "123"; ## SECRET-DATA
}
gateway ike-gate-cfgr {
    ike-policy ike-policy-cfgr;
    address 217.12.253.226;
    dead-peer-detection {
        always-send;
        interval 20;
        threshold 5;
    }
    local-identity inet 83.234.107.110;
    external-interface fe-0/0/0.0;
    version v1-only;
}
gateway gw-no-pod {
    ike-policy policy-no-pod;           
    address 62.176.7.74;                
    dead-peer-detection {               
        always-send;                    
        interval 20;                    
        threshold 5;                    
    }                                   
    external-interface fe-0/0/0.0;      
    version v1-only;                    
}             
ipsec
vpn-monitor-options {
    interval 10;
    threshold 10;
}
policy ipsec-policy-cfgr {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}
policy pol-no-pod {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}
vpn ipsec-vpn-cfgr {
    bind-interface st0.0;
    vpn-monitor {
        optimized;
    }
    ike {
        gateway ike-gate-cfgr;
        ipsec-policy ipsec-policy-cfgr;
    }
    establish-tunnels immediately;
}
vpn vpn-no-pod {                        
    bind-interface st0.1;               
    vpn-monitor {                       
        optimized;                      
    }                                   
    ike {                               
        gateway gw-no-pod;              
        ipsec-policy pol-no-pod;        
    }                                   
    establish-tunnels immediately;      
}

    1st "old host":

     

    ike
    policy ike-policy-cfgr {
    mode main;
    proposal-set standard;
    pre-shared-key ascii-text "123"; ## SECRET-DATA
}

gateway ike-gate-cfgr {
    ike-policy ike-policy-cfgr;
    address 83.243.107.110;
    dead-peer-detection {
        always-send;
        interval 20;
        threshold 5;
    }
    external-interface vlan.8;          
    version v1-only;                    
}
    ipsec
vpn-monitor-options {
    interval 10;
    threshold 10;
}

policy ipsec-policy-cfgr {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}

vpn ipsec-vpn-cfgr {
    bind-interface st0.1;
    vpn-monitor {
        optimized;                      
    }                                   
    ike {                               
        gateway ike-gate-cfgr;          
        ipsec-policy ipsec-policy-cfgr; 
    }                                   
    establish-tunnels immediately;      
}

    2nd old host:

    ike

policy policy-pod-no {                  
    mode main;                          
    proposal-set standard;              
    pre-shared-key ascii-text "123"; ## SECRET-DATA
}

gateway gw-pod-no {                     
    ike-policy policy-pod-no;           
    address 83.234.107.110;             
    dead-peer-detection {               
        always-send;                    
        interval 20;                    
        threshold 5;                    
    }                                   
    external-interface fe-0/0/0.0;      
    version v1-only;                    
}    

ipsec

vpn-monitor-options {
    interval 10;
    threshold 10;
}


policy pol-pod-no {                     
    perfect-forward-secrecy {           
        keys group2;                    
    }                                   
    proposal-set standard;              
} 

vpn vpn-pod-no {                        
    bind-interface st0.6;               
    vpn-monitor {                       
        optimized;                      
    }                                   
    ike {                               
        gateway gw-pod-no;              
        ipsec-policy pol-pod-no;        
    }                                   
    establish-tunnels immediately;      
}

    Both "old" SRX devices connected through ipsec vpn with each other.



  • 2.  RE: ike SA unusable and ike No proposal chosen

    Posted 01-29-2016 09:13

    Hello,

    1/ please double-check the pre-shared keys

    2/ please check if You inserted st0.X units into security zone(s).

    HTH

    Thx

    Alex



  • 3.  RE: ike SA unusable and ike No proposal chosen

    Posted 01-30-2016 01:56

    This one was without st0.x interface in security zone, thank you!

    Jan 29 20:43:13  Moscow-NO kmd[2046]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN:
vpn-no-pod Gateway: gw-no-pod, Local: 83.234.107.110/500, Remote: 62.176.7.74/500, Local IKE-ID: Not-Available, 
Remote IKE-ID: Not-Available, VR-ID: 0

     

    Recheked security zones / and PSK for this one:

    Jan 29 20:43:07  Moscow-NO kmd[2046]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ipsec-
vpn-cfgr Gateway: ike-gate-cfgr, Local: 83.234.107.110/500, Remote: 217.12.253.226/500, Local IKE-ID: Not-Availab
le, Remote IKE-ID: Not-Available, VR-ID: 0

    PSK  seems to be correct, st0.x interfaces present.



  • 4.  RE: ike SA unusable and ike No proposal chosen

    Posted 01-30-2016 04:00

    Hello,

     

    @Nomad-71 wrote:

     

    Recheked security zones / and PSK for this one:

    Jan 29 20:43:07  Moscow-NO kmd[2046]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ipsec-
vpn-cfgr Gateway: ike-gate-cfgr, Local: 83.234.107.110/500, Remote: 217.12.253.226/500, Local IKE-ID: Not-Availab
le, Remote IKE-ID: Not-Available, VR-ID: 0

    PSK  seems to be correct, st0.x interfaces present.

    1/ please enable IKE debug

     

     

    request security ipsec-vpn debug enable...

    2/ restart ipsec-key management, note the timestamp

    3/ post the sanitized kmd.log around timestamp above if still not working

    HTH

    Thx

    Alex



  • 5.  RE: ike SA unusable and ike No proposal chosen

    Posted 01-30-2016 04:26 
    request security ike debug-enable local ...

     

    And this is what i got:

     

    Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Inside iked_get_primary_addr_by_intf_name... AF = 2
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]    iked_get_primary_addr_by_intf_name:2421 intf_name fe-0/0/0.0, af=inet, addr_len=4 
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]    iked_get_primary_addr_by_intf_name:2425 ip address = 83.234.107.110 ifam_flags = 0xc0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Got address 83.234.107.110 as prefered address for interface fe-0/0/0.0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_cfg_populate_sa_cfg_with_ike_gateway_info: Found ip address for local interface 83.234.107.110
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  kmd_ipaddr2ikeid: ipaddr = 0.0.0.0/0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  kmd_ipaddr2ikeid: ipaddr = 0.0.0.0/0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_cfg_activate_route_based_sa_cfg Set this sa_cfg as INSTANCE
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_ipsec_is_ifl_installed: Bind interface st0.0 index<69>
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  In iked_ipsec_is_ifl_installed if:fe-0/0/0 

[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_iface2zone: Returning zone = 7 for if: fe-0/0/0.0

[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_iface2zone: Returning zone = 6 for if: st0.0

[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_ipsec_is_ifl_installed: Bind interface st0.0, index<69>, IFL ext is up
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]    SA CFG Name: ipsec-vpn-cfgr
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]    Interface name: fe-0/0/0, Unit: 0, AF: 2, ksa_cfg_ifl_index: 71
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]    Local gateway: 83.234.107.110 
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]    Remote gateway: 217.12.253.226 
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Inside iked_get_primary_addr_by_intf_name... AF = 2
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]    iked_get_primary_addr_by_intf_name:2421 intf_name fe-0/0/0.0, af=inet, addr_len=4 
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]    iked_get_primary_addr_by_intf_name:2425 ip address = 83.234.107.110 ifam_flags = 0xc0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Got address 83.234.107.110 as prefered address for interface fe-0/0/0.0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_ipsec_is_ifl_installed: Found ip address for external interface 83.234.107.110. Marking sa-cfg ipsec-vpn-cfgr as ifa up
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_check_if_sa_cfg_ready: SA-CFG is ready
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Added sa_cfg ipsec-vpn-cfgr to sadb hash tbl at hash:2994
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_sa_cfg_get_parent_sa_cfg_child_sas_count No parent for sa_cfg ipsec-vpn-cfgr count is 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_is_anchoring_instance sa_dist_id=0, self_dist_id=255
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_deactivate_bind_interface: No more NHTB entries are active for st0.0. Bringing down the interface
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  kmd_update_tunnel_interface: update ifl st0.0 status DOWN for sa_cfg ipsec-vpn-cfgr
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  In iked_ipsec_sa_config_add: if:fe-0/0/0 flags = 0x600a29 UP

[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  In iked_fill_sa_bundle

[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ipsec-vpn-cfgr : VPN Monitor Interval=10(10) Optimized=1(1)

[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  SA bundle remote gateway: IP 217.12.253.226 chosen
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  SA bundle local  gateway: IP 83.234.107.110 chosen
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Installing SA ipsec-vpn-cfgr (mode: tunnel) tunnel ID 131073 to kernel
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ----------------Voyager ipsec SA BUNDLE-------------------
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  SA Config add request for:   Tunnel index: 131073
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Local Gateway address: 83.234.107.110
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Primary remote Gateway address: 217.12.253.226
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Backup remote Gateway State: Active
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]   Anti replay: counter-based enabled
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]   Window_size: 64
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]   Server Time: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]   Peer : Static
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]   Mode : Tunnel
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]   VPN Type : route-based
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Tunnel mtu: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      DF bit: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      local-if ifl idx: 71
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      tunnel-if ifl idx: 69
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Tunnel mtu: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      DPD interval: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      policy id: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      NATT enabled: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      NATT version: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      NAT position: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      SA Idle time: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      SA Outbound install delay time: 1
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      IKED ID: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      DIST ID: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Keepalive interval: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      VPN monitoring interval: 10
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      VPN monitoring optimized: 1
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Respond-bad-SPI: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      seq_out: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Local port: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Remote port: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      SA CFG name: ipsec-vpn-cfgr
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Dial-up IKE ID: 
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      RG ID: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]      Group template tunnel ID: 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_sa_config_install msg_len=688
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Successfully added SA Config
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_sa_cfg_get_parent_sa_cfg_child_sas_count No parent for sa_cfg ipsec-vpn-cfgr count is 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_deactivate_bind_interface: No more NHTB entries are active for st0.0. Bringing down the interface
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  kmd_update_tunnel_interface: update ifl st0.0 status DOWN for sa_cfg ipsec-vpn-cfgr
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_is_anchoring_instance sa_dist_id=0, self_dist_id=255
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_start_vpnm_timer: processing SA ipsec-vpn-cfgr
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_start_vpnm_timer: registering VPNM timer: SA ipsec-vpn-cfgr
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Triggering negotiation for ipsec-vpn-cfgr config block
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_pm_trigger_callback: lookup peer entry for gateway ike-gate-cfgr, local_port=500, remote_port=500
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_create_peer_entry: Created peer entry 0xef0000 for local 83.234.107.110:500 remote 217.12.253.226:500
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_fetch_or_create_peer_entry: Create peer entry 0xef0000 for local 83.234.107.110:500 remote 217.12.253.226:500. gw ike-gate-cfgr, VR id 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_pm_trigger_callback: FOUND peer entry for gateway ike-gate-cfgr
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Initiating new P1 SA for gateway ike-gate-cfgr
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  P1 SA 5279221 start timer. timer duration 30, reason 1.
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_pm_trigger_negotiation Set p2_ed in sa_cfg=ipsec-vpn-cfgr
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_peer_insert_p1sa_entry: Insert p1 sa 5279221 in peer entry 0xef0000
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_pm_trigger_negotiation Convert traffic selectors from V1 format to V2 format for narrowing/matching selectors

[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ikev2_fallback_negotiation_alloc: Allocated fallback negotiation eee800
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]   iked_vpnm_timer_callback: VPN Monitor timer kicked in
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Get rtbl_idx=0 for ifl idx 71
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  PING (217.12.253.226 via 217.12.253.226): 56 data bytes Tunnel-id:131073 outgoing intf 71, rtbl idx 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  VPNM send ping pkt (84/84) bytes for tunnel 131073, seq 0
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  Parsing notification payload for local:83.234.107.110, remote:217.12.253.226 IKEv1 
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  iked_pm_ike_spd_notify_request: Sending Initial contact
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  IKE SA fill called for negotiation of local:83.234.107.110, remote:217.12.253.226 IKEv1 
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ikev2_fallback_negotiation_free: Fallback negotiation eee800 has still 1 references
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ssh_ike_connect: Start, remote_name = 217.12.253.226:500, xchg = 2, flags = 00090000
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_sa_allocate: Start, SA = { 2db6cdc9 9428f4d1 - 00000000 00000000 }
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_init_isakmp_sa: Start, remote = 217.12.253.226:500, initiator = 1
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ssh_ike_connect: SA = { 2db6cdc9 9428f4d1 - 00000000 00000000}, nego = -1
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  83.234.107.110:500 (Initiator) <-> 217.12.253.226:500 { 2db6cdc9 9428f4d1 - 00000000 00000000 [-1] / 0x00000000 } IP; Start isakmp sa negotiation
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  83.234.107.110:500 (Initiator) <-> 217.12.253.226:500 { 2db6cdc9 9428f4d1 - 00000000 00000000 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0000 
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_state_step: Current state = Start sa negotiation I (1)/-1, exchange = 2, auth_method = pre shared key, Initiator
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_st_o_sa_proposal: Start
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_policy_reply_isakmp_vendor_ids: Start
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_st_o_private: Start
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_policy_reply_private_payload_out: Start
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_state_step: All done, new state = MM SA I (3)
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_encode_packet: Start, SA = { 0x2db6cdc9 9428f4d1 - 00000000 00000000 } / 00000000, nego = -1
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_encode_packet: Final length = 324
[Jan 30 16:17:19][83.234.107.110 <-> 217.12.253.226]  ike_send_packet: Start, send SA = { 2db6cdc9 9428f4d1 - 00000000 00000000}, nego = -1, dst = 217.12.253.226:500,  routing table id = 0
[Jan 30 16:17:20][83.234.107.110 <-> 217.12.253.226]  Ignoring the ifa preferred address add/change message as previous local address is the same
[Jan 30 16:17:20]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]   iked_vpnm_timer_callback: VPN Monitor timer kicked in
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  Get rtbl_idx=0 for ifl idx 71
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  PING (217.12.253.226 via 217.12.253.226): 56 data bytes Tunnel-id:131073 outgoing intf 71, rtbl idx 0
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  VPNM send ping pkt (84/84) bytes for tunnel 131073, seq 3
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  Received IKE Trigger message with local_gw_addr = 83.234.107.110 remote_gw_addr = 217.12.253.226

[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  In iked_async_ike_trigger_msg_handler; Tunnel = 131073

[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  Triggering the IKE negotiation ....
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  Triggering negotiation for ipsec-vpn-cfgr config block
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  iked_pm_trigger_callback: lookup peer entry for gateway ike-gate-cfgr, local_port=500, remote_port=500
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  iked_pm_trigger_callback: FOUND peer entry for gateway ike-gate-cfgr
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  P1 SA 5279221 negotiation is still going on for gateway ike-gate-cfgr
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  ike_retransmit_callback: Start, retransmit SA = { 2db6cdc9 9428f4d1 - 00000000 00000000}, nego = -1
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  83.234.107.110:500 (Initiator) <-> 217.12.253.226:500 { 2db6cdc9 9428f4d1 - 00000000 00000000 [-1] / 0x00000000 } IP; Retransmitting packet, retries = 5
[Jan 30 16:17:29][83.234.107.110 <-> 217.12.253.226]  ike_send_packet: Start, retransmit previous packet SA = { 2db6cdc9 9428f4d1 - 00000000 00000000}, nego = -1, dst = 217.12.253.226:500 routing table id = 0


  • 6.  RE: ike SA unusable and ike No proposal chosen

    Posted 01-30-2016 06:54

    Hello,

    Looks like 217.12.253.226 does not reply:

     

     ike_send_packet: Start, retransmit previous packet SA

    Is 217.12.253.226 behind a firewall or stateful NAT, or is the an ACL preventing pkts sourced from 83.234.107.110 to reach 217.12.253.226? Loopback filters on 217.12.253.226 and/or 83.234.107.110 perhaps?

    Please double check the above points, then if still not working pls enable IKE debug on 217.12.253.226, repeat the test and post sanitized kmd log here.

    HTH

    Thx
    Alex

     



  • 7.  RE: ike SA unusable and ike No proposal chosen

    Posted 01-30-2016 07:38

    Thnak you for your replys.

    No firewalls / filters / polices are blocking traffic, at least i am not aware about them.

     

    On 217.12.253.226 i noticed that it has several security-associations:

    show security ike security-associations    
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
5473375 UP     116e2c801097c9d0  ab39919cba3b8b39  Main           62.176.7.74     
5473411 DOWN   c61f140f39008527  551b417b7766f3ad  Any            83.234.107.110  
5473409 DOWN   931d0ca5af9a1478  0000000000000000  Main           83.243.107.110  
5473410 DOWN   5103a7a2754f004d  144c6eb87b57c9f3  Any            83.234.107.110  
5473412 DOWN   552225eca47bb34f  1ff408c58bce2530  Any            83.234.107.110

    and debug log:

    [Jan 30 17:52:10]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_get_sa: Start, SA = { 02b87da5 947fb96c - 00000000 00000000 } / 00000000, remote = 83.234.107.110:500
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_get_sa: We are responder and this is initiators first packet
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_sa_allocate: Start, SA = { 02b87da5 947fb96c - 646c9eea c88d5bdc }
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_udp_callback_common: New SA
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_init_isakmp_sa: Start, remote = 83.234.107.110:500, initiator = 0
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  217.12.253.226:500 (Responder) <-> 83.234.107.110:500 { 02b87da5 947fb96c - 646c9eea c88d5bdc [-1] / 0x00000000 } IP; New SA
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ikev2_fallback_negotiation_alloc: Allocated fallback negotiation dfe000
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  P1 SA 5473376 start timer. timer duration 30, reason 1.
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ssh_isakmp_update_responder_cookie: Updating responder IKE cookie
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ssh_isakmp_update_responder_cookie: Original IKE cookie
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  00000000: 646c 9eea c88d 5bdc                      dl....[.
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ssh_isakmp_update_responder_cookie: New IKE cookie
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  00000000: 6006 a421 7fbc 2f9c                      `..!../.
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ikev2_fb_st_new_p1_connection_local_addresses: Accepting new Phase-1 negotiation: local=217.12.253.226:500, remote=83.234.107.110:500 (neg dfe000)
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ikev2_fallback_negotiation_free: Fallback negotiation dfe000 has still 1 references
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_decode_packet: Start
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_decode_packet: Start, SA = { 02b87da5 947fb96c - 6006a421 7fbc2f9c} / 00000000, nego = -1
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_decode_payload_sa: Start
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_decode_payload_sa: Found 1 proposals
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_decode_payload_t: Start, # trans = 2
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  217.12.253.226:500 (Responder) <-> 83.234.107.110:500 { 02b87da5 947fb96c - 6006a421 7fbc2f9c [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0401 SA VID 
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_state_step: Current state = Start sa negotiation R (2)/-1, exchange = 2, auth_method = any, Responder
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_sa_proposal: Start
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_process_packet: No output packet, returning
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  Parsing notification payload for local:217.12.253.226, remote:83.234.107.110 IKEv1 
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  iked_pm_phase1_sa_cfg_lookup_by_addr: Address based phase 1 SA-CFG lookup failed for local:217.12.253.226, remote:83.234.107.110 IKEv1 
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg dfe000)
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_isakmp_sa_reply: Start
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ikev2_fallback_negotiation_free: Fallback negotiation dfe000 has still 1 references
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  217.12.253.226:500 (Responder) <-> 83.234.107.110:500 { 02b87da5 947fb96c - 6006a421 7fbc2f9c [-1] / 0x00000000 } IP; Restart packet
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_state_restart_packet: Start, restart packet SA = { 02b87da5 947fb96c - 6006a421 7fbc2f9c}, nego = -1
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  217.12.253.226:500 (Responder) <-> 83.234.107.110:500 { 02b87da5 947fb96c - 6006a421 7fbc2f9c [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0401 SA VID 
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_state_step: Current state = Start sa negotiation R (2)/1, exchange = 2, auth_method = any, Responder
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_sa_proposal: Start
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_cr: Start
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_cert: Start
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_i_private: Start
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_st_o_sa_values: Start
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_state_restart_packet: Error, send notify
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  217.12.253.226:500 (Responder) <-> 83.234.107.110:500 { 02b87da5 947fb96c - 6006a421 7fbc2f9c [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_alloc_negotiation: Start, SA = { 02b87da5 947fb96c - 6006a421 7fbc2f9c}
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_alloc_negotiation: Found slot 0, max 1
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_init_info_exchange: Created random message id = 4fc006db
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_init_info_exchange: No phase 1 done, use only N or D payload
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  <none>:500 (Initiator) <-> 83.234.107.110:500 { 02b87da5 947fb96c - 6006a421 7fbc2f9c [0] / 0x4fc006db } Info; Sending negotiation back, error = 14
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_encode_packet: Start, SA = { 0x02b87da5 947fb96c - 6006a421 7fbc2f9c } / 4fc006db, nego = 0
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_encode_packet: Final length = 102
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_send_notify: Sending notification to 83.234.107.110:500
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_send_packet: Start, send SA = { 02b87da5 947fb96c - 6006a421 7fbc2f9c}, nego = 0, dst = 83.234.107.110:500,  routing table id = 0
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_delete_negotiation: Start, SA = { 02b87da5 947fb96c - 6006a421 7fbc2f9c}, nego = 0
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  <none>:500 (Initiator) <-> 83.234.107.110:500 { 02b87da5 947fb96c - 6006a421 7fbc2f9c [0] / 0x4fc006db } Info; Deleting negotiation
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_free_negotiation_info: Start, nego = 0
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ike_free_negotiation: Start, nego = 0
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  IKE negotiation fail for local:217.12.253.226, remote:83.234.107.110 IKEv1 with status: No proposal chosen
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]    IKEv1 Error : No proposal chosen
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ikev2_fallback_negotiation_free: Freeing fallback negotiation dfe000

     

     

     

     



  • 8.  RE: ike SA unusable and ike No proposal chosen
    Best Answer

    Posted 01-30-2016 07:47

    Hello,

     

    217.12.253.226 <-> 83.234.107.110]  iked_pm_phase1_sa_cfg_lookup_by_addr: Address based phase 1 SA-CFG lookup failed for local:217.12.253.226, remote:83.234.107.110 IKEv1 
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jan 30 17:52:24][217.12.253.226 <-> 83.234.107.110]  ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg dfe000)

    Translation: 217.12.253.226 does not know anything about 83.234.107.110.

    Please post here the following output FROM 217.12.253.226 , sanitized if You care:

     

    show configuration security ike | display set | match 83.234.107.110 | no-more

    If there is an output, then "restart ipsec-key-management" on 217.12.253.226 could help.

    Another but rare possibility is that You may have duplicate IPs in Your network.

    HTH

    Thx

    Alex



  • 9.  RE: ike SA unusable and ike No proposal chosen

    Posted 01-30-2016 08:12

    Thank you!

    There was 

    83.243.107.110

    instead of

    83.234.107.110