Amer Networks E5Web GUI User Manual

3. Ike_invalid_payload, Ike_invalid_cookie.
4. Payload_Malformed.
5. No public key found.
6. ruleset_drop_packet.

1. Could not find acceptable proposal / no proposal chosen

This is the most common IPsec related error message. It means that depending on which side
initiates tunnel setup, the negotiations in either the IKE or the IPSec phase of setup failed since
they were unable to find a matching proposal that both sides could agree on.

Troubleshooting this error message can be involved since the reasons for this message can be
multiple depending on where in the negotiation it occurred.

•

If the negotiation fails during phase-1 – IKE

The IKE proposal list does not match. Double check that the IKE proposal list matches that of
the remote side. A good idea is to use the ikesnoop verbose CLI command and get the tunnel
to initiate the tunnel from the remote side. It can then be seen what proposals the remote
side is sending and then compare the results with the local IKE proposal list. At least ONE
proposal has to match in order for it to pass phase-1. Remember that the lifetimes are also
important, as will be mentioned in Problem symptom-1.

•

If the negotiation fails during phase-2 – IPsec

The IPsec proposal list does not match. Double check that the IPsec proposal list matches
that of the remote side. The same method described above of using ikesnoop can be used
from when the remote side initiates the tunnel and compare it against the local proposal list.
What is "extra" in the IPsec phase is that the networks are negotiated here, so even if the
IPsec proposal list seem to match, the problem may be with mismatching networks. The local
network(s) on one side need to be the remote network on the other side and vice versa.
Remember that multiple networks will generate multiple IPsec SAs, one SA per network (or
host if that option is used). The defined network size is also important in that it must be
exactly the same size on both sides, as will be mentioned again later in the symptoms
section.

There are also some settings on the IPsec tunnel's IKE tab that can be involved in a
no-proposal chosen issue. For example, PFS (for IPsec phase) or DH Group (for the IKE phase).
Also, the choice of Main or Aggressive mode.

2. Incorrect pre-shared key

A problem with the pre-shared key on either side has caused the tunnel negotiation to fail. This is
perhaps the easiest of all the error messages to troubleshoot since it can be only one thing, and
that is incorrect pre-shared key. Double-check that the pre-shared key is of the same type
(Passphrase or Hex-key) and correctly added on both sides of the tunnel.

Another reason for why cOS Core detects that the pre-shared key is incorrect could be because
the wrong tunnel is triggering during tunnel negotiations. IPsec tunnels are processed from the
top to the bottom of the cOS Core tunnel list and are initially matched against the remote
gateway. An example is if there is a roaming tunnel that uses all-nets as its remote gateway. This
tunnel will trigger before the intended tunnel if it is placed above it in the cOS Core tunnel list.

For example, consider the following IPsec tunnel definitions:

Name

Local Network

Remote Network

Remote Gateway

VPN-1

lannet

office1net

office1gw

VPN-2

lannet

office2net

office2gw

L2TP

ip_wan

all-nets

all-nets

Chapter 9: VPN

652