Security

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Phase 2 message under tunnel events that I'm curious about.

Jump to Best Answer
  • 1.  Phase 2 message under tunnel events that I'm curious about.

    Posted 07-29-2021 14:12
    I configured a VPN and Phase 1 is up and Phase 2 appears to be up.
    Its a route based vpn with traffic selectors. 

    In the tunnel events I get this message 
    Negotiation failed with INVALID_SYNTAX error(104 times) for each of the traffic selectors The prior messages are:


    IPSec SA negotiation successfully completed (1 times)
    Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
    IKE SA negotiation successfully completed (4 times)
    IPSec SA negotiation successfully completed (1 times)
    Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)

    what does the invalid syntax mean? I compared configs and they match the full message with the line bolded red in question below. 

    Tunnel events:
    IPSec SA negotiation successfully completed (1 times)
    Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
    IKE SA negotiation successfully completed (4 times)
    IPSec SA negotiation successfully completed (1 times)
    Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Negotiation failed with INVALID_SYNTAX error(104 times)
    Direction: inbound, SPI: efa10870, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3394 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2796 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Direction: outbound, SPI: c46c784f, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3394 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2796 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Thank you all for sharing to this thread!

    ------------------------------
    Juan
    ------------------------------


  • 2.  RE: Phase 2 message under tunnel events that I'm curious about.
    Best Answer

    Posted 07-30-2021 05:30
    Hi Juan,

    "Negotiation failed with INVALID_SYNTAX error" indicates mismatch in pre-shared key. As per the given output,  it is corrected now and the VPN is UP.  Latest tunnel events are shown at the top and old events are at bottom

    Tunnel events:
    IPSec SA negotiation successfully completed (1 times)
    Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
    IKE SA negotiation successfully completed (4 times)
    IPSec SA negotiation successfully completed (1 times)
    Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Negotiation failed with INVALID_SYNTAX error(104 times)