IPsec VPN (IKEv1) - typical error log messages

Here are the most common error messages when you are not able to establish an IPsec-VPN connection (Site to Site / End to Site).

These messages are visible in the "Monitor > Log" section of our firewalls.

Please use the category filter "IKE":

mceclip0.png

 

 INVALID PAYLOAD TYPE: This means that the pre-shared key is not the same on both sides -> see Phase1.

Screenshot_2021-09-24_113744.png

 

NO PROPOSAL CHOSEN: Error in the match of the algorithms of phase1 or 2.

Screenshot_2021-09-24_113604.png

 

LOCAL POLICY MISMATCH: The local policy object might be wrong or does not belong to the tunnel setup you choose. For example, the WAN Interface IP is wrong or the subnets conflict with each other.

Screenshot_2021-09-24_140423.png

 

REMOTE IP MISMATCH Wrong IP entered on the remote site

Screenshot_2021-09-24_113702.png

 

LOCAL ID MISMATCH: This means that an error has occurred in Phase 1 in the fields "Local ID Type / Content" and "Peer ID Type / Content". Check that they are well reversed between the 2 routers or the router and the client (the local of one will be the other's peer and vice versa)

Screenshot_2021-09-24_113626.png

 

NO SA FOUND: This means that the router will receive IKE packets but will not find a matching tunnel.

Screenshot_2021-09-24_140500.png

 

AUTHENTICATION FAILED: This means that the extended authentication is activated on one of the two sides (see phase1, extended parameters)

 

IKE PACKET RETRANSMIT: This means there is no interchange between the 2 routers. This can be due to a number of reasons: a poorly configured IP address or a NAT redirection problem of the packets needed by the VPN (for example, if a modem router is in front of a USG).
You can enable/disable NAT Traversal (VPN Gateway, show hidden settings)

 

Articles in this section

Was this article helpful?
2 out of 18 found this helpful
Share