Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Problem with VPN configuration: The peer sent a TS that did not match the one in the SA config

    Posted 01-25-2017 03:06

    Hi,

     

    I have followed this document to establish VPN connection between Juniper SSG140 and iOS device:

    https://forums.juniper.net/jnet/attachments/jnet/Firewalls/30984/4/Apple%20VPN%20and%20Juniper%20ScreenOS.pdf

     

    But I am stuck on:


    2017-01-25 09:09:45 info Rejected an IKE packet on ethernet0/9 from a.b.c.d:500 to w.x.y.z:500 with cookies 1328d54ec3a99964 and 54bd7563665d5c93 because The peer sent a TS that did not match the one in the SA config.
    2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16395 NOTIFY_MSG_NON_FIRST_FRAGMENTS_ALSO.
    2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16394 NOTIFY_MSG_ESP_TFC_PADDING_NOT_SUPPORTED.
    2017-01-25 09:09:45 info IKE w.x.y.z IKESA : Completed IKESA negotiations with IKE SA AUTH.
    2017-01-25 09:09:45 info IKE w.x.y.z IKESA: Completed for user swissmom-ios-user.
    2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16396 RESERVED TO IANA.
    2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16384 NOTIFY_MSG_INITIAL_CONTACT.
    2017-01-25 09:09:45 info IKE w.x.y.z CHILD SA with IKE SA INIT: Initiated negotiations.
    2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16430 RESERVED TO IANA.
    2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16389 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP.
    2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16388 NOTIFY_MSG_NAT_DETECTION_SOURCE_IP.

    2017-01-25 09:09:45 info IKE V2 w.x.y.z: Received a notification message for 16406 RESERVED TO IANA.
    2017-01-25 09:09:45 info IKE w.x.y.z IKESA: Responder starts negotiations.

     

    Can someone please explain me what this message (The peer sent a TS that did not match the one in the SA config) mean and how can I potentially fix it? From log reference guide: 

    https://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_messages.pdf 

    on page 287 I can only see this explanation:

     

    "The Traffic Sector (TS) payload (local and remote subnets protected by this tunnel) within the message was not consistent with the TS setting for this VPN configuration."

     

    But what does it mean exactly for me? how can I check local and remote subnets protected by my tunnel? Which settings?

     

    Thanks,

    Matthias

     



  • 2.  RE: Problem with VPN configuration: The peer sent a TS that did not match the one in the SA config

    Posted 01-25-2017 05:34

    H Matthias,

     

    Please check KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB5049&actp=search for the event logs. Do you see the same error for this VPN?

     

    If yes, then please configure firewall security policy and mobile VPN profile in such a way so that the IPs match.

     

    OR,  if you have only this policy based VPN then check the below settings:

     

    get ike policy-checking
    IKE Phase 2 ID payload checking is enabled   <----

     

    Try disabling it using command : unset ike policy-checking

     

    rollback : set ike policy-checking

     

    Thanks,

    Vikas



  • 3.  RE: Problem with VPN configuration: The peer sent a TS that did not match the one in the SA config
    Best Answer

    Posted 01-26-2017 02:20

    Hi Vikas,

     

    Thanks a lot for your help. IKE policy checking was already disabled in my case. But it turned out it was... a Policy problem!

    I didn't had proper policy from untrust to trust with tunnel. Now tunnel is working fine.

     

    Thanks!

     

    Matthias