SRX

Expand all | Collapse all

IKE proposal troubleshooting

Jump to Best Answer
  • 1.  IKE proposal troubleshooting

    Posted 08-08-2013 14:25

    Hi,

     

    I have one question here. Is there is anyway to get the proposal info on the SRX. Suppose I am establish IPSEC VPN between another organization and they set the proposal to (proposal-set compatible instead of standard). Is there any traceoption or log will indicate where exactly the mismatch or what is the parameter is missing/ wrong instead of finger point each other

     

    Regards,

    Mohamed Elhariry



  • 2.  RE: IKE proposal troubleshooting
    Best Answer

    Posted 08-08-2013 14:44

    You can look at "show log kmd" and also configure traceoptions under security->ike.

     

    There's a hidden command to set a more detailed debug level as well, "set security ike traceoptions level 15" (or other levels, I just use 15 usually).

     

    This is a place to start:

    # set security ike traceoptions file ike-debug size 10m files 2
    # set security ike traceoptions flag all
    # set security ike traceoptions level 15

     

    This will put the IKE debugs into a separate file called "ike-debug" so you can do a "show log ike-debug" to see the relevant information.

     



  • 3.  RE: IKE proposal troubleshooting

    Posted 08-09-2013 00:46
      |   view attached

    Hi kr,

     

    Thanks for your replay. I saw same advise in previous post from you 🙂 and tried already before asking. The problem is like I have VPN is working fine but tried to change the proposal from standard to compatible. How can I receive in the logs mis match in proposal and the received one is standard not compatible. I am simulating troubleshooting problem

     

    I attached the log from the traceoptions file created replaced my IP address with 92.X.X.X and remote IP with 94.Y.Y.Y

     

    for the kmd file it showing no logs

     

    Regards,

    Mohamed Elhariry

     

    Attachment(s)

    txt
    vpn logs.txt   124 KB 1 version


  • 4.  RE: IKE proposal troubleshooting

    Posted 08-10-2013 00:02
    I think the exact words you are looking for may be generated some other way, however based on what we know from Juniper so far, your error means exactly what you have similated, that there is a mismatch between the IKE phase 2 proposals. This is not like OSPF which tells you area mismatch:) I hope this helps you a little bit more.
     
    9da4614f [0] / 0xfe8d052d } Info; Notify message version = 1
    Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Error text = Could not find acceptable proposal
    Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Offending message id = 0x00000000
     
    Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Error text = Could not find acceptable proposal
    Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Offending message id = 0x00000000
    Aug  9 11:37:18 92.X.X.X:500 (Responder) <-> 94.Y.Y.Y:500 { 54f3cbfb 54471d6d - 87d62fbd 9da4614f [0] / 0xfe8d052d } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it

     

     
    If phase 2 negotiation has been initiated, and you get the "Error = NO_PROPOSAL_CHOSEN" message, this indicates a mismatch in proposals between the two peers.  The phase 2 proposal elements include the following:
     
    Authentication algorithm (MD5, SHA1)
    Encryption algorithm (DES, 3DES, AES128, AES192, AES256)
    Lifetime kilobytes (sometimes referred to as lifesize)
    Lifetime seconds
    Protocol (AH, ESP)
    Perfect Forward Secrecy (Diffie-Hellman group1, group2, group5)
    If phase 2 fails to complete with an error in proposal, then confirm that remote peer has at least one proposal configured in which Authentication and Encryption algorithms, Protocol and Perfect Forward Secrecy (PFS) match at least one proposal on the local side. A common mis-configuration is PFS group key mismatch. Perhaps one side has PFS group key configured whereas the remote side may either not have PFS enabled or incorrect group key.  Also, with some third-party non-Juniper devices, Lifetime in both kilobytes and/or seconds may also need to match.


  • 5.  RE: IKE proposal troubleshooting

    Posted 08-10-2013 00:33

    Hi,

     

    It is phase one problem not phase 2 I changed the proposal under ike policy.

     

    So we can confirm from the traceoptions, I couldn't figure-out the proposal is standard not compatible from the other end.

     

    I am facing problems when I establish VPN with any other vendor sometimes the parameter is not clear or the IT admin is not qualified there to give me the correct parameters. So I want to detect it on my FW and adjust it without refer to him.

     

    Regards,

    Mohamed Elhariry



  • 6.  RE: IKE proposal troubleshooting

     
    Posted 08-10-2013 01:23

    TCPDUMP can provide you complet einformation of exchange.

     

    Regards,

    Raveen



  • 7.  RE: IKE proposal troubleshooting

    Posted 08-10-2013 01:46

    Yes you are correct. So far I have not seen any longs that would indicate what proposal is being used at the other end. So are you saying you cannot ask for and get this information?

    The you could not have see any ike sa? In fact I should have paid more attention. That means you run the command: >show security ike sa, this should not show anything. But as I said, I should have been more careful. If phase one was successful it would have said Responder done.
    Oct 8 10:41:40 Phase-1 [responder] done for local=ipv4(udp:500,[0..3]=1.1.1.2)
    remote=ipv4(udp:500,[0..3]=2.2.2.2)
    This has more information on troubleshooting. http://www.juniper.net/techpubs/en_US/junos13.1/information-products/topic-collections/nce/vpn-hub-spoke-nhtb/configuring-hub-and-spoke-vpns-using-nhtb.pdf#search=%22phase%201%20error%22
    Clear the log, clear the sessions
    clear security ike security-associations

    add the following to your traceoptions(if they are not present)

    I think
    The post the new log and we should get more details.

    [edit security ike traceoptions]
    lab@srxA-2# show | display set
    set security ike traceoptions file iktrace
    set security ike traceoptions flag policy-manager
    set security ike traceoptions flag routing-socket
    set security ike traceoptions flag parse
    set security ike traceoptions flag config
    set security ike traceoptions flag ike



  • 8.  RE: IKE proposal troubleshooting

    Posted 08-10-2013 01:53

    tell the admin to log in and tell him exactly where to to look for the information you need.

    This gave me another idea. So I changed the proposal in phase 1 and save the log file. Then changed it back to the correct one and compared them. And it made a world of difference. So we know that the connection error 14 means mismatched proposal. I have not done same for phase 2 IPSEC, but may try it later. You can actually see it telling you the hash, encry algorythm etc. Very nice. My suggestion is do same and you will get better information for yourself.



  • 9.  RE: IKE proposal troubleshooting

    Posted 08-11-2013 12:57

    Thx every one

     

    It start working I got in the traceoptions

     

    Aug 11 23:44:51 ike_find_group_from_sa: No isakmp group defined yet
    Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 1 (0x0001), value = 5 (0x00000005), len = 2 (0x0002)
    Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Encryption alg = 5 (3des-cbc)
    Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 2 (0x0002), value = 2 (0x00000002), len = 2 (0x0002)
    Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Hash alg = 2 (sha1)
    Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 3 (0x0003), value = 1 (0x00000001), len = 2 (0x0002)
    Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Auth method = 1
    Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 4 (0x0004), value = 2 (0x00000002), len = 2 (0x0002)
    Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Group = 2, a8f180
    Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 11 (0x000b), value = 1 (0x00000001), len = 2 (0x0002)
    Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 12 (0x000c), value = 28800 (0x00007080), len = 2 (0x0002)
    Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Life duration 28800 secs

     

    although the kmd file still empty but I think it is another problem may be related to the junos version. I will check later.

     

    # run show log kmd    
    Aug 11 22:19:55 SRX-FW1 clear-log[4640]: logfile cleared
    Aug 11 23:53:26 Group/Shared IKE ID VPN configured: 0

     

    Thanks again for all members