SRX Services Gateway
Highlighted
SRX Services Gateway

IKE proposal troubleshooting

‎08-08-2013 02:25 PM

Hi,

 

I have one question here. Is there is anyway to get the proposal info on the SRX. Suppose I am establish IPSEC VPN between another organization and they set the proposal to (proposal-set compatible instead of standard). Is there any traceoption or log will indicate where exactly the mismatch or what is the parameter is missing/ wrong instead of finger point each other

 

Regards,

Mohamed Elhariry

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
8 REPLIES 8
Highlighted
SRX Services Gateway
Solution
Accepted by topic author mhariry
‎08-26-2015 01:27 AM

Re: IKE proposal troubleshooting

‎08-08-2013 02:44 PM

You can look at "show log kmd" and also configure traceoptions under security->ike.

 

There's a hidden command to set a more detailed debug level as well, "set security ike traceoptions level 15" (or other levels, I just use 15 usually).

 

This is a place to start:

# set security ike traceoptions file ike-debug size 10m files 2
# set security ike traceoptions flag all
# set security ike traceoptions level 15

 

This will put the IKE debugs into a separate file called "ike-debug" so you can do a "show log ike-debug" to see the relevant information.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Highlighted
SRX Services Gateway

Re: IKE proposal troubleshooting

‎08-09-2013 12:45 AM

Hi kr,

 

Thanks for your replay. I saw same advise in previous post from you 🙂 and tried already before asking. The problem is like I have VPN is working fine but tried to change the proposal from standard to compatible. How can I receive in the logs mis match in proposal and the received one is standard not compatible. I am simulating troubleshooting problem

 

I attached the log from the traceoptions file created replaced my IP address with 92.X.X.X and remote IP with 94.Y.Y.Y

 

for the kmd file it showing no logs

 

Regards,

Mohamed Elhariry

 

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

Attachments

Highlighted
SRX Services Gateway

Re: IKE proposal troubleshooting

[ Edited ]
‎08-10-2013 12:02 AM
I think the exact words you are looking for may be generated some other way, however based on what we know from Juniper so far, your error means exactly what you have similated, that there is a mismatch between the IKE phase 2 proposals. This is not like OSPF which tells you area mismatch:) I hope this helps you a little bit more.
 
9da4614f [0] / 0xfe8d052d } Info; Notify message version = 1
Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Error text = Could not find acceptable proposal
Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Offending message id = 0x00000000
 
Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Error text = Could not find acceptable proposal
Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Offending message id = 0x00000000
Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it

 

 
If phase 2 negotiation has been initiated, and you get the "Error = NO_PROPOSAL_CHOSEN" message, this indicates a mismatch in proposals between the two peers.  The phase 2 proposal elements include the following:
 
Authentication algorithm (MD5, SHA1)
Encryption algorithm (DES, 3DES, AES128, AES192, AES256)
Lifetime kilobytes (sometimes referred to as lifesize)
Lifetime seconds
Protocol (AH, ESP)
Perfect Forward Secrecy (Diffie-Hellman group1, group2, group5)
If phase 2 fails to complete with an error in proposal, then confirm that remote peer has at least one proposal configured in which Authentication and Encryption algorithms, Protocol and Perfect Forward Secrecy (PFS) match at least one proposal on the local side. A common mis-configuration is PFS group key mismatch. Perhaps one side has PFS group key configured whereas the remote side may either not have PFS enabled or incorrect group key.  Also, with some third-party non-Juniper devices, Lifetime in both kilobytes and/or seconds may also need to match.
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: IKE proposal troubleshooting

‎08-10-2013 12:32 AM

Hi,

 

It is phase one problem not phase 2 I changed the proposal under ike policy.

 

So we can confirm from the traceoptions, I couldn't figure-out the proposal is standard not compatible from the other end.

 

I am facing problems when I establish VPN with any other vendor sometimes the parameter is not clear or the IT admin is not qualified there to give me the correct parameters. So I want to detect it on my FW and adjust it without refer to him.

 

Regards,

Mohamed Elhariry

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: IKE proposal troubleshooting

‎08-10-2013 01:22 AM

TCPDUMP can provide you complet einformation of exchange.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
SRX Services Gateway

Re: IKE proposal troubleshooting

‎08-10-2013 01:46 AM

Yes you are correct. So far I have not seen any longs that would indicate what proposal is being used at the other end. So are you saying you cannot ask for and get this information?

The you could not have see any ike sa? In fact I should have paid more attention. That means you run the command: >show security ike sa, this should not show anything. But as I said, I should have been more careful. If phase one was successful it would have said Responder done.
Oct 8 10:41:40 Phase-1 [responder] done for local=ipv4(udp:500,[0..3]=1.1.1.2)
remote=ipv4(udp:500,[0..3]=2.2.2.2)
This has more information on troubleshooting. http://www.juniper.net/techpubs/en_US/junos13.1/information-products/topic-collections/nce/vpn-hub-s...
Clear the log, clear the sessions
clear security ike security-associations

add the following to your traceoptions(if they are not present)

I think
The post the new log and we should get more details.

[edit security ike traceoptions]
lab@srxA-2# show | display set
set security ike traceoptions file iktrace
set security ike traceoptions flag policy-manager
set security ike traceoptions flag routing-socket
set security ike traceoptions flag parse
set security ike traceoptions flag config
set security ike traceoptions flag ike

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: IKE proposal troubleshooting

[ Edited ]
‎08-10-2013 01:52 AM

tell the admin to log in and tell him exactly where to to look for the information you need.

This gave me another idea. So I changed the proposal in phase 1 and save the log file. Then changed it back to the correct one and compared them. And it made a world of difference. So we know that the connection error 14 means mismatched proposal. I have not done same for phase 2 IPSEC, but may try it later. You can actually see it telling you the hash, encry algorythm etc. Very nice. My suggestion is do same and you will get better information for yourself.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: IKE proposal troubleshooting

‎08-11-2013 12:57 PM

Thx every one

 

It start working I got in the traceoptions

 

Aug 11 23:44:51 ike_find_group_from_sa: No isakmp group defined yet
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 1 (0x0001), value = 5 (0x00000005), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Encryption alg = 5 (3des-cbc)
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 2 (0x0002), value = 2 (0x00000002), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Hash alg = 2 (sha1)
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 3 (0x0003), value = 1 (0x00000001), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Auth method = 1
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 4 (0x0004), value = 2 (0x00000002), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Group = 2, a8f180
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 11 (0x000b), value = 1 (0x00000001), len = 2 (0x0002)
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 12 (0x000c), value = 28800 (0x00007080), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Life duration 28800 secs

 

although the kmd file still empty but I think it is another problem may be related to the junos version. I will check later.

 

# run show log kmd    
Aug 11 22:19:55 SRX-FW1 clear-log[4640]: logfile cleared
Aug 11 23:53:26 Group/Shared IKE ID VPN configured: 0

 

Thanks again for all members

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Feedback