Screen OS

 phase1 negotiation is Completed, but phase 2 negotiation always Initiated negotiations and try more times.

Ipsec vpn config:

Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ------- ---------------
to-ZB to-ZB tunl Yes g2-esp-3des-md5 on 0 eth0/1
all proposals: g2-esp-3des-md5
peer gateway = 1**.**.**.*8
outgoing interface <ethernet0/1>
IPv4 address 2**.**.**.13.
vpn monitor src I/F <default>, dst-IP <default>, optimized NO, rekey OFF
l2tp over ipsec use count <0>
idle timeout value <0>
vpnflag <04010021>
df-bit <clear>
sa_list <00000003>
Bound tunnel interface: tunnel.1

Next-Hop Tunnel Binding table
Flag Status Next-Hop(IP) tunnel-id VPN

DSCP-mark: disabled

About ipsec log message:

2014-08-25 09:23:22 system info 00536 IKE 1**.**.**.*8 Phase 2: Initiated
negotiations.
2014-08-25 09:23:22 system info 00536 IKE 1**.**.**.*8 Phase 1: Completed
Main mode negotiations with a
28800-second lifetime.
2014-08-25 09:23:22 system info 00536 IKE 1**.**.**.*8 phase 1:The
symmetric crypto key has been
generated successfully.

2014-08-25 09:22:42 system info 00536 IKE 1**.**.**.*8 Phase 2: Initiated
negotiations.
2014-08-25 09:22:42 system info 00536 IKE 1**.**.**.*8 Phase 1: Completed
Main mode negotiations with a
28800-second lifetime.
2014-08-25 09:22:42 system info 00536 IKE 1**.**.**.*8 phase 1:The
symmetric crypto key has been
generated successfully.

2014-08-25 09:22:00 system info 00536 IKE 1**.**.**.*8 Phase 2: Initiated
negotiations.
2014-08-25 09:22:00 system info 00536 IKE 1**.**.**.*8 Phase 1: Completed
Main mode negotiations with a
28800-second lifetime.
2014-08-25 09:22:00 system info 00536 IKE 1**.**.**.*8 phase 1:The
symmetric crypto key has been
generated successfully.

2014-08-25 09:21:21 system info 00536 IKE 1**.**.**.*8 Phase 2: Initiated
negotiations.
2014-08-25 09:21:21 system info 00536 IKE 1**.**.**.*8 Phase 1: Completed
Main mode negotiations with a
28800-second lifetime.
2014-08-25 09:21:21 system info 00536 IKE 1**.**.**.*8 phase 1:The
symmetric crypto key has been
generated successfully.

the peer's device is hillstone,the ipsec log message:

2014-08-25 09:35:38, INFO@VPN: ISAKMP-SA expired, 1**.**.**.*8:500-2**.**.**.13:500 cookies:1c2591b1d6a324df:984ad46f4f2ceb1c
2014-08-25 09:35:37, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:35:34, INFO@VPN: initiate new phase 2 negotiation: 1**.**.**.*8:0-2**.**.**.13:0
2014-08-25 09:35:33, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:35:29, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:35:25, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:35:21, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:35:17, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:35:13, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:35:09, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:35:09, INFO@VPN: *****ISAKMP-SA established, 1**.**.**.*8:500-2**.**.**.13:500 cookies:17e698810eb8cca9:69557a84a0c1d8d0*****
2014-08-25 09:35:09, INFO@VPN: responded new phase 1 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:34:57, INFO@VPN: ISAKMP-SA expired, 1**.**.**.*8:500-2**.**.**.13:500 cookies:9ddf08095c218a0c:f64e68a340e106f9
2014-08-25 09:34:56, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:34:52, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:34:48, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:34:44, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:34:40, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:34:36, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:34:33, INFO@VPN: initiate new phase 2 negotiation: 1**.**.**.*8:0-2**.**.**.13:0
2014-08-25 09:34:32, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:34:28, INFO@VPN: responded new phase 2 negotiation: 1**.**.**.*8:500-2**.**.**.13:500
2014-08-25 09:34:28, INFO@VPN: *****ISAKMP-SA established, 1**.**.**.*8:500-2**.**.**.13:500 cookies:1

the negotiation port is "0", Is it problem ?

2014-08-25 09:35:34, INFO@VPN: initiate new phase 2 negotiation: 1**.**.**.*8:0-2**.**.**.13:0

The port is not a problem.  It looks like something between the two devices is dropping the ESP traffic.

the local or peer is dropping ? And in the local, the endpoint always recive a great many invaild negotiation packet from the other device.

If the invalid negotiation packets is continued revicing, in the case, the normal packets will affect ?

The Phase-2 is not going through, but I do not see any error messages in the event logs. Can you collect an IKE debug?

set sa-filter <ip of peer>

clear db

debug ike detail

**Wait for one round of VPN negotiation to go through and P2 to fail**

Undebug all

set console page 0

get db st

The debug will provide more details about why P2 is failing.

Now the problem is sloved. Detele old configration and set new both of peer for ipsec vpn. I nerver find the reason for the problem.The debug troubleshooting is a good way but the device is servicing and don't allow that opertaion now.

thanks

---

@jony.shi wrote:

 I nerver find the reason for the problem.

---

Anyway, glad that the VPN is up now! 🙂