SRX Services Gateway
Highlighted
SRX Services Gateway

SRX650: IKE negotiation failed with error: SA unusable

‎07-06-2016 03:05 PM

Hey everyone,There is now a VPN interrupt fault,VPN is normal, and then suddenly interrupted,This side of the other VPN is normal.

 

configuration:

 

set security ike proposal IKE-phase1-proposal authentication-method pre-shared-keys
set security ike proposal IKE-phase1-proposal dh-group group2
set security ike proposal IKE-phase1-proposal authentication-algorithm md5
set security ike proposal IKE-phase1-proposal encryption-algorithm 3des-cbc
set security ike proposal IKE-phase1-proposal lifetime-seconds 86400

set security ike policy XXXXX mode main
set security ike policy XXXXX proposals IKE-phase1-proposal
set security ike policy XXXXX pre-shared-key ascii-text "$9$g7JGj.m5n9t4a39A0hcoJGUqmP5Qzn/HkApu0IRNdVbgoaZUDk."
set security ike gateway XXXXX ike-policy XXXXX
set security ike gateway XXXXX address X.X.X.X
set security ike gateway XXXXX dead-peer-detection interval 10
set security ike gateway XXXXX dead-peer-detection threshold 3
set security ike gateway XXXXX external-interface reth1.1299


set security ipsec proposal IPsec-phase2-proposal protocol esp
set security ipsec proposal IPsec-phase2-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal IPsec-phase2-proposal encryption-algorithm 3des-cbc
set security ipsec proposal IPsec-phase2-proposal lifetime-seconds 28800
set security ipsec proposal IPsec-phase2-proposal lifetime-kilobytes 4608000

set security ipsec policy IPsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy IPsec-phase2-policy proposals IPsec-phase2-proposal

set security ipsec vpn XXXXX bind-interface st0.23
set security ipsec vpn XXXXX ike gateway XXXXX
set security ipsec vpn XXXXX ike proxy-identity local X.X.X.X/32
set security ipsec vpn XXXXX ike proxy-identity remote X.X.X.X/24
set security ipsec vpn XXXXX ike proxy-identity service any
set security ipsec vpn XXXXX ike ipsec-policy IPsec-phase2-policy
set security ipsec vpn XXXXX establish-tunnels immediately

First, Using the command: show log messages,

 

kmd[1396]: IKE negotiation failed with error: SA unusable. IKE Version: 1, XXXX Gateway: XXXXX, Local: XXXX/500, Remote: XXXX/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
kmd[1396]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: XXXX Gateway: XXXXX, Local: XXXX/500, Remote: XXXX/500, Local IKE-ID: XXXX, Remote IKE-ID: XXXX, VR-ID: 0
kmd[1396]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: XXXX Gateway: XXXXX, Local: XXXX/500, Remote: XXXX/500, Local IKE-ID: XXXX, Remote IKE-ID: XXXX, VR-ID: 0
kmd[1396]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: XXXX Gateway: XXXXX, Local: XXXX/500, Remote: XXXX/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

 /kernel: IPv4 ESP input: no key association found for packet(SPI=2511170941 seq=7653 src=remote_ip dst=local_ip)
kmd[1396]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=XXXX remote_ip=XXXX]
kmd[1396]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=Local, dst_ip=remote_ip]
kmd[1396]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: XXXX/500, Remote: XXXX/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
kmd[1396]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: XXXX Gateway: XXXX, Local: XXXX/500, Remote: XXXX/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
kmd[1396]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: XXXX Gateway: XXXX, Local: XXXX/500, Remote: XXXX/500, Local IKE-ID: XXXX, Remote IKE-ID: XXXX, VR-ID: 0

 

 

 

   IKE Traceoption:

 

IPSec negotiation failed for SA-CFG XXXX for local:XXXX, remote:XXXX IKEv1. status: Timed out
P2 ed info: flags 0x80, P2 error: Error ok
iked_pm_check_p2_failure_num: Phase2 failed 2/3 times for P1 SA 11279821
IKEv1 Error : Timeout
ike_retransmit_callback: Start, retransmit SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 2
ike_retransmit_callback: Isakmp query retry limit reached, deleting
<none>:500 (Responder) <-> XXXX:500 { d79a696c bd7811dd - 1d945cae 5f4c2957 [2] / 0xbbd0abbe } QM; Error = Timeout (8197)
ike_send_notify: Private notification, do not send notification

IPSec negotiation failed for SA-CFG XXXX for local:XXXX, remote:XXXX IKEv1. status: Timed out
P2 ed info: flags 0x80, P2 error: Error ok
iked_pm_check_p2_failure_num: Phase2 failed 3/3 times for P1 SA 11279821
iked_pm_check_p2_failure_num: Deleting P1 SA 11279821 due to 3 Phase2 failures
IKEv1 Error : Timeout
P1 SA 11279821 timer expiry. ref cnt 24, timer reason Defer delete timer expired (3), flags 0x191.
iked_pm_ike_sa_delete_notify_done_cb: For p1 sa index 11279821, ref cnt 24, status: Error ok
ikev2_packet_allocate: Allocated packet f41400 from freelist
  ike_retransmit_callback: Start, retransmit SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 0
  ike_send_packet: Start, retransmit previous packet SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 0, dst = XXXX:500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 1
  ike_send_packet: Start, retransmit previous packet SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 1, dst = XXXX:500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 2
  ike_send_packet: Start, retransmit previous packet SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 2, dst = XXXX:500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 3
  ike_send_packet: Start, retransmit previous packet SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 3, dst = XXXX:500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 4
  ike_send_packet: Start, retransmit previous packet SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 4, dst = XXXX:500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 5
  …………………………
  ike_retransmit_callback: Start, retransmit SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 25
  ike_send_packet: Start, retransmit previous packet SA = { d79a696c bd7811dd - 1d945cae 5f4c2957}, nego = 25, dst = 60.191.8.38:500 routing table id = 0
  ike_sa_find: Found SA = { d79a696c bd7811dd - 1d945cae 5f4c2957 }
iked_pm_ike_sa_done: UNUSABLE p1_sa 11279822
IKEv1 Error : Timeout
IPSec Rekey for SPI 0x0 failed


<none>:500 (Responder) <-> XXXXX:500 { 573b4665 48ee2a63 - 6d2e2c0d 988e21c6 [0] / 0xa84af9b5 } Info; Trying to decrypt, but no decryption context initialized
<none>:500 (Responder) <-> XXXXX:500 { 573b4665 48ee2a63 - 6d2e2c0d 988e21c6 [0] / 0xa84af9b5 } Info; Error = No SA established (8194)
ike_send_notify: Notification to informational exchange ignored

 Through these logs, I want to confirm, to the end device or link if there is a problem ?

 remote device: H3C MSR3600

 General is caused by what?

 

 Thank you

 

 

 

 

 

 

Feedback