what is causing this problem?

— Exhibit –[edit]
user@SRX-1# show security ike traceoptions
file ike-trace;
flag all;
[edit]
user@SRX-1# show security ipsec traceoptions
flag all;
user@SRX-1> show log ike-trace

Jun 13 17:00:33 :500 (Responder) -> 192.168.1.11:500 { 15276b72 6656c3b6 – 4ea713e7
d2487276 [1] / 0x9828a32e } QM; Invalid protocol_id = 0
Jun 13 17:00:34 Received authenticated notification payload unknown from local:192.168.1.10
remote:192.168.1.11 IKEv1 for P1 SA 3075335
Jun 13 17:00:34 iked_pm_ike_spd_notify_receiveD. Negotiation is already failed. Reason: TS
unacceptable.
Jun 13 17:00:34 QM notification `(null)’ (40001) (size 8 bytes) from 192.168.1.11 for protocol
Reserved spi[0…3]=0f f0 ce d3
Jun 13 17:00:34 ike_st_i_private: Start
Jun 13 17:00:34 ike_st_o_qm_hash_2: Start
Jun 13 17:00:34 ike_st_o_qm_sa_values: Start
Jun 13 17:00:34 :500 (Responder) -> 192.168.1.11:500 { 15276b72 6656c3b6 – 4ea713e7
d2487276 [1] / 0x9828a32e } QM; Error = No proposal chosen (14)
Jun 13 17:00:34 ike_alloc_negotiation: Start, SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276}
Jun 13 17:00:34 ike_encode_packet: Start, SA = { 0x15276b72 6656c3b6 – 4ea713e7 d2487276 }

/ 65407839, nego = 2
Jun 13 17:00:34 ike_send_packet: Start, send SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276},
nego = 2, dst = 192.168.1.11:500, routing table id = 0
Jun 13 17:00:34 ike_delete_negotiation: Start, SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276},
nego = 2
Jun 13 17:00:34 ike_free_negotiation_info: Start, nego = 2
Jun 13 17:00:34 ike_free_negotiation: Start, nego = 2
Jun 13 17:00:34 IPSec negotiation failed for SA-CFG Unknown for local:192.168.1.10,
remote:192.168.1.11 IKEv1. status: TS unacceptable
Jun 13 17:00:34 P2 ed info: flags 0x0, P2 error: TS unacceptable
Jun 13 17:00:34 iked_pm_ipsec_sa_done: Phase2 failed 2/3 times for P1 SA 3075335
— Exhibit –Click the Exhibit button.
The IPsec tunnel is not establishing between SRX-1 and a remote device.
Referring to the exhibit, what is causing this problem?

— Exhibit –[edit]
user@SRX-1# show security ike traceoptions
file ike-trace;
flag all;
[edit]
user@SRX-1# show security ipsec traceoptions
flag all;
user@SRX-1> show log ike-trace

Jun 13 17:00:33 :500 (Responder) -> 192.168.1.11:500 { 15276b72 6656c3b6 – 4ea713e7
d2487276 [1] / 0x9828a32e } QM; Invalid protocol_id = 0
Jun 13 17:00:34 Received authenticated notification payload unknown from local:192.168.1.10
remote:192.168.1.11 IKEv1 for P1 SA 3075335
Jun 13 17:00:34 iked_pm_ike_spd_notify_receiveD. Negotiation is already failed. Reason: TS
unacceptable.
Jun 13 17:00:34 QM notification `(null)’ (40001) (size 8 bytes) from 192.168.1.11 for protocol
Reserved spi[0…3]=0f f0 ce d3
Jun 13 17:00:34 ike_st_i_private: Start
Jun 13 17:00:34 ike_st_o_qm_hash_2: Start
Jun 13 17:00:34 ike_st_o_qm_sa_values: Start
Jun 13 17:00:34 :500 (Responder) -> 192.168.1.11:500 { 15276b72 6656c3b6 – 4ea713e7
d2487276 [1] / 0x9828a32e } QM; Error = No proposal chosen (14)
Jun 13 17:00:34 ike_alloc_negotiation: Start, SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276}
Jun 13 17:00:34 ike_encode_packet: Start, SA = { 0x15276b72 6656c3b6 – 4ea713e7 d2487276 }

/ 65407839, nego = 2
Jun 13 17:00:34 ike_send_packet: Start, send SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276},
nego = 2, dst = 192.168.1.11:500, routing table id = 0
Jun 13 17:00:34 ike_delete_negotiation: Start, SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276},
nego = 2
Jun 13 17:00:34 ike_free_negotiation_info: Start, nego = 2
Jun 13 17:00:34 ike_free_negotiation: Start, nego = 2
Jun 13 17:00:34 IPSec negotiation failed for SA-CFG Unknown for local:192.168.1.10,
remote:192.168.1.11 IKEv1. status: TS unacceptable
Jun 13 17:00:34 P2 ed info: flags 0x0, P2 error: TS unacceptable
Jun 13 17:00:34 iked_pm_ipsec_sa_done: Phase2 failed 2/3 times for P1 SA 3075335
— Exhibit –Click the Exhibit button.
The IPsec tunnel is not establishing between SRX-1 and a remote device.
Referring to the exhibit, what is causing this problem?

A.
IKE Phase 1 IKE ID mismatch

B.
IKE Phase 1 proposals mismatch

C.
IKE Phase 2 proxy ID mismatch

D.
IKE Phase 2 proposals mismatch

Explanation:



Leave a Reply 4

Your email address will not be published. Required fields are marked *


hans

hans

Think C:

Phase2 failed 2/3 times for P1 SA 3075335

This indicates that Phase 1 is up, as it has an Security Association,
and P2 is failing the second time out of 3 tries.
In my opinion not a P1 Problem.

JNCSP-MIKE

JNCSP-MIKE

remote:192.168.1.11 IKEv1. status: TS unacceptable

Phase 2 Proxy ID mismatch.