ALM-15795028 hwIPSecNegoFail

Description

IPSec tunnel negotiation fails. (Ifindex=[Ifindex], SeqNum=[SeqNum], Reason=[Reason-Str], ReasonCode=[ReasonCode], PeerAddress=[PeerAddress], PeerPort=[PeerPort], VsysName=[vsys-name], InterfaceName=[InterfaceName])

Attribute

Parameters

Impact on the System

An IPsec tunnel fails to be established.

Possible Causes

The possible causes are as follows:

• phase1 proposal mismatch: IKE proposal parameters on both ends do not match. This field is displayed only on the tunnel initiator.
• phase1 proposal encryption algorithm mismatch: Encryption algorithm parameters in IKE proposals on both ends do not match. This field is displayed only on the tunnel responder.
• phase1 proposal authentication method mismatch: Authentication method parameters in IKE proposals on both ends do not match. This field is displayed only on the tunnel responder.
• phase1 proposal authentication algorithm mismatch: Authentication algorithm parameters in IKE proposals on both ends do not match. This field is displayed only on the tunnel responder.
• phase1 proposal dh mismatch: DH group parameters in IKE proposals on both ends do not match. This field is displayed only on the tunnel responder.
• phase1 proposal integrity algorithm mismatch: Integrity algorithm parameters in IKE proposals on both ends do not match. This field is displayed only on the tunnel responder.
• phase1 proposal prf mismatch: PRF algorithm parameters in IKE proposals on both ends do not match. This field is displayed only on the tunnel responder.
• phase2 proposal or pfs mismatch: IPsec proposal parameters, pfs algorithm, or security ACL of the two ends do not match.
• responder dh mismatch: The DH algorithm of the responder does not match.
• initiator dh mismatch: The DH algorithm of the initiator does not match.
• encapsulation mode mismatch: The encapsulation mode does not match.
• flow or peer mismatch: The security ACL or IKE peer address of the two ends does not match.
• version mismatch: The IKE version number of the two ends does not match.
• peer address mismatch: The IKE peer address of the two ends does not match.
• config ID mismatch: The IKE peer of the specified ID is not found.
• exchange mode mismatch: The negotiation mode of the two ends does not match.
• authentication fail: Identity authentication fails.
• construct local ID fail: The local ID fails to be constructed.
• rekey no find old sa: The old SA is not found during re-negotiation.
• rekey fail: The old SA is going offline during re-negotiation.
• first packet limited: The rate of the first packet is limited.
• unsupported version: The IKE version number is not supported.
• malformed message: Malformed message.
• malformed payload: Malformed payload.
• malformed payload or psk mismatch: Malformed payload or pre-share-key mismatch.
• critical drop: Unidentified critical payload.
• cookie mismatch: Cookie mismatch.
• invalid cookie: Invalid cookie.
• invalid length: Invalid packet length.
• unknown exchange type: Unknown negotiation mode.
• uncritical drop: Unidentified non-critical payload.
• route limit: The number of injected routes has reached the upper limit.
• ip assigned fail: IP address allocation fails.
• eap authentication timeout: EAP authentication times out.
• eap authentication fail: EAP authentication fails.
• xauth authentication fail: XAUTH authentication fails.
• xauth authentication timeout: XAUTH authentication timeout.
• license or specification limited: License limit.
• local address mismatch: The local IP address in IKE negotiation and interface IP address do not match.
• dynamic peers number reaches limitation: The number of IKE peers reaches the upper limit.
• ipsec tunnel number reaches limitation: The number of IPsec tunnels reaches the upper limit.
• netmask mismatch: The mask does not match the configured mask after the IPsec mask filtering function is enabled.
• flow confict: A data flow conflict occurs.
• proposal mismatch or use sm in ikev2: IPsec proposals at both ends of the IPsec tunnel do not match or IKEv2 uses the SM algorithm.
• ikev2 not support sm in ipsec proposal ikev2: IKEv2 does not support the SM algorithm used in the IPsec proposal.
• no policy applied on interface: No policy is applied to an interface.
• nat detection fail: NAT detailed failed.
• fragment packet limit: Fragment packets exceed the limit.
• fragment packet reassemble timeout: Fragment packet reassembly times out.

Procedure

• Cause: phase1 proposal mismatch

Check IKE proposal parameters at both ends of the IPsec tunnel and ensure that the parameters are consistent at both ends.

• Cause: phase2 proposal or pfs mismatch

Check IPsec proposal parameters or PFS algorithms at both ends of the IPsec tunnel and ensure that the parameters or algorithms are consistent at both ends.

• Cause: responder dh mismatch, initiator dh mismatch

Check DH algorithms at both ends of the IPsec tunnel and ensure that the algorithms are consistent at both ends.

• Cause: encapsulation mode mismatch

Check encapsulation modes at both ends of the IPsec tunnel and ensure that the encapsulation modes are consistent at both ends.

• Cause: eap authentication timeout, eap authentication fail, xauth authentication fail, xauth authentication timeout

Ensure that the client's user name and password as well as user access configuration are correct.

• Cause: ip assigned fail

Ensure that the AAA and IPsec configurations, such as the IP pool, AAA service scheme, and IP addresses assigned to IKE users, are correct.

• Cause: peer address mismatch

Check the IP addresses of IKE peers at both ends and ensure that the IP addresses match each other.

• Cause: config ID mismatch

Check identity authentication parameters, such as the ID type and ID value, and ensure that the parameters match each other.

• Cause: authentication fail

Check IKE proposal parameters or IKE peer parameters at both ends of the IPsec tunnel and ensure that the parameters are consistent at both ends.

• Cause: license or specification limited

Apply for a license or expand the capacity as required.

• Cause: exchange mode mismatch

Check the IKEv1 phase 1 negotiation modes at both ends and ensure that the negotiation modes are consistent at both ends.

• Cause: route limit

Replace the device with the one that has a higher route specification and plan the network properly.

• Cause: local address mismatch

Check the local IP address and interface IP address used in IKE negotiation and ensure that the IP addresses are consistent.

• Cause: ipsec tunnel number reaches limitation

Delete unnecessary IPsec tunnels or expand the capacity.

• Cause: dynamic peers number reaches limitation

Expand the capacity and plan the network properly.

• Cause: in disconnect state

Check whether the link or device is working properly based on the IPsec link detection result.

• Cause: proposal mismatch or use sm in ikev2, ikev2 not support sm in ipsec proposal

Check the algorithm used by IKEv2 in the IPsec proposal and ensure that the algorithm is correct.

• Cause: flow confict

Check ACL rules at both ends of the IPsec tunnel and ensure that the ACLs are correct.

• Cause: netmask mismatch

Change the IPsec-protected data flow range of the branch or headquarters to ensure that the data flow ranges negotiated by the branch and headquarters do not overlap.

• Cause: no policy applied on interface

Apply the required IPsec policy to the interface.

• Cause: fragment packet limit

The number of received fragmented packets exceeds the limit. Adjust the MTU of the peer device correctly.

• Cause: fragment packet reassemble timeout

Ensure that the links at both ends are normal and the device status is normal.

• If the fault persists, collect related information and contact technical support personnel.