ScreenOS Firewalls (NOT SRX)
Reply
Visitor
RemoteVPN
Posts: 3
Registered: ‎12-23-2009
0

Rejected an IKE packet because an initial Phase 1 packet arrived from an unrecognized peer gateway.

I have try to setup remote access VPN on our SSG 20 (Firmware Version:  6.1.0r2.0 (Firewall+VPN)

I follow the setup guide step by step but still get the above errors.

I have checked the IKE Identity, outgoing interface and Preshared key.

They are all the same.

Please help. Thanks a lot.

By the way, it looks like I can not debug as I login shows only the following command:

clear                clear dynamic system info
delete               delete persistent info in flash
exec                 exec system commands
exit                 exit command console
get                  get system information
mtrace               multicast traceroute from source to destination
ping                 ping other host
reset                reset system
save                 save command
set                  configure system parameters
trace-route          trace route
unset                unconfigure system parameters

Distinguished Expert
muttbarker
Posts: 2,363
Registered: ‎01-29-2008
0

Re: Rejected an IKE packet because an initial Phase 1 packet arrived from an unrecognized peer gatew

First - debug does not show up when you do a CLI show command.

 

Key commands for debugging IKE are:

 

debug ike detail (turns on debug for ike)

clear db (clears out the debug buffers)

get db str (displays current buffer values

 

This forum entry has even more detail on debug:

http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Troubleshooting-Tips-Debug-commands/td-p/620...

 

Second - There are a bunch of reasons for this error. If you search the Juniper KB for that error you will get quite a few hits. Here is a very good KB article that will point out the most common problems:

 

http://kb.juniper.net/index?page=content&id=KB9238&actp=search&searchid=1285356435688

 

Hope that helps you get started in troubleshooting. I actually am just writing a bunch of documentation on NSRemote access for a client and can't tell you how many times I get this error as I document various setup scenarios and use the wroing ID type on one side or the incorrect interface or select certificate when I meant preshare.........

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.