KB Article | Forcepoint Support

Problem Description

These tables list the most common IPsec VPN log messages (Facility=IPsec).

The messages listed appear in the Information Message fields of logs as information or error messages. The Situation field in some of the logs contains similar messages.

Note Some messages can only be seen when the IPsec diagnostics are enabled during the VPN negotiations.

Resolution

VPN notifications

The following table lists messages that are seen in the logs as part of normal IPsec VPN operation.

Information messageDescription
SA traffic selectors local: [...]This message is visible only when IPsec diagnostics are enabled.

The first message generated when new VPN negotiations are triggered. Negotiation of a new VPN tunnel follows.

IKE SA proposal [...]This message is visible only when IPsec diagnostics are enabled.

Shows the proposal that the initiator in the negotiations sent to the responder (displayed in both roles).

Starting IKE main mode initiator negotiation

Starting IKE main mode responder negotiation

The beginning of IKE negotiations (in main mode).

Which message is displayed depends on whether the gateway is the initiator or the responder in the negotiation.

Repeated negotiations for the same connection are normal in a Multi-Link environment.

IKEv1 SA initiator done [...]

IKEv1 SA responder done [...]

IKEv2 SA initiator done [...]

IKEv2 SA responder done [...]

IKE SA negotiations were successfully completed, IPsec SA negotiations begin.

Which message is displayed depends on whether the gateway is the initiator or the responder in the negotiation.

IPsec SA initiator done [...]

IPsec SA responder done [...]

IPsec SA negotiations were successfully completed. The VPN tunnel is now established and ESP or AH messages should appear shortly.

Which message is displayed depends on whether the gateway is the initiator or the responder in the negotiation.

Starting Hybrid AuthenticationHybrid authentication is started for an IPsec VPN client user.
Hybrid Authentication DoneHybrid authentication succeeded for an IPsec VPN client user.
IKE SA import succeeded

IPsec SA import succeeded

This message is visible only when IPsec diagnostics are enabled.

Synchronization of Phase 1 (IKE) and Phase 2 (IPsec) information between clustered firewall engines was successful.

ESP [...]

AH [...]

Encrypted traffic going through the VPN tunnel. When you enable IPsec diagnostics, you might see more of these messages.
Unknown IKE cookieThis message is visible only when IPsec diagnostics are enabled.

The other gateway identified an SA that does not exist on this node. If this is a cluster, this message is normal when the SA has been negotiated with a different node. The correct SA is then queried from the other nodes, allowing the connection to continue.

This message can also appear if the SA has been deleted, for example, because of a timeout or dead peer detection (DPD).

Sending delete notification [...]

Delete notification received [...]

This message is visible only when IPsec diagnostics are enabled.

Messages between the gateways forming the tunnel informing the other party that the gateway has removed the settings indicated in the message. As a result, the other gateway also clears the settings, allowing for renegotiations if the tunnel is still needed.

Sending IKE SA delete sync

Receiving IKE SA expire/delete sync

This message is visible only when IPsec diagnostics are enabled.

Synchronization of SA deletion information between clustered firewall engines.

Initial contact notification receivedThe gateway at the other end of the tunnel has sent an Initial-Contact message (indicating that it has no knowledge of previous negotiations). If there are old SAs with the gateway, they are deleted (recently negotiated SAs are not, as might be indicated by a further log message). If SAs exist, the notification may indicate that the other end has been cleared, for example, in a reboot.

VPN errors

The following table lists common errors that indicate problems in an IPsec VPN tunnel.

The log messages inform you about the stage of negotiations and then give the actual error message, for example, “IKE Phase-2 error: No proposal chosen.” The table lists only the actual message part without more variable details such as IP addresses or identifiers.

Error messageDescription
Access group mismatchThe connecting VPN client is not authorized.
Authentication failedOne of the parties rejected the authentication credentials or something went wrong during the authentication process. If the problem is not apparent in the available logs, activate diagnostics to generate more verbose logs that give you more information about the next negotiations.
Authentication method mismatchThe authentication method used by the other gateway is not allowed in the configuration of this gateway. Check the settings in the VPN Profile that is selected for this VPN.
Cannot get policy [...] No matching connectionMight indicate that the gateway has no valid VPN certificate.
Can not get QM policy [...]Indicates that there is a mismatch in granularity settings between the negotiating gateways.

In the Firewall/VPN, granularity is controlled with the Security Association Granularity setting on the IPsec Settings tab of the VPN Profile.

Could not allocate inbound SPI

Could not create outbound IPsec rule

Could not register outbound SPI

Old outbound SPI entry not found

Out of memory

SA install failed

Session attaching failed

Transform creation failed

Indications that the gateway has run out of memory. The reason for this might be inappropriate configuration settings (such as using the "SA per host" setting with a very large number of hosts) in addition to other reasons (such as hardware specifications).
Dead peer detection failed

IKE peer was found dead [...]

Dead peer detection checks the other gateway periodically when the VPN is established. If no response is received, the VPN tunnel is closed. Indicates that the other gateway is down, unreachable, or considers the VPN tunnel already closed.
Encapsulation mode mismatchEncapsulation modes (AH or ESP) did not match between gateways.
IKE error notify received: [...]This message is visible only when IPsec diagnostics are enabled.

The other gateway has sent the error notification that is shown in this message.

IKE negotiation rate-limit reached, discard connectionThis message is visible only when IPsec diagnostics are enabled.

There is an excessive number of new VPN connection attempts within a short period of time. This mechanism is meant to protect the firewall from certain types of denial-of-service attacks.

Invalid argument

Invalid syntax

Generic error. Check the other log messages for more useful information. If the problem is not apparent in the available logs, activate diagnostics to generate more verbose logs that give you more information about the next negotiations.
IPsec SA proposal not acceptedThis message is visible only when IPsec diagnostics are enabled.

The VPN gateway at the other end of the tunnel sent a proposal that the Firewall/VPN gateway could not accept. This message includes information about the rejected proposal and a further log message should contain information about the Firewall/VPN's local proposal.

NAT-T is not allowed for this peerThis message is visible only when IPsec diagnostics are enabled.

NAT-T was requested by the other gateway but it is not allowed in the configuration of the gateway that sends this message.

No proposal chosenIKE negotiations failed. If the problem is not apparent in the available logs, activate diagnostics to generate more verbose logs that give you more information about the next negotiations. Negotiation could also have failed on peer gateway side and more detailed error message need to be checked from peer gateway IPsec logs.
Payload malformed [...]Most likely due to a mismatch in preshared keys between the initiator and the responder. The reason might also be corruption of packets in transit.
Peer IP address mismatchThe IP address of the other gateway uses is not configured as a VPN gateway end-point on this gateway.
Proposal did not match policyThere is a mismatch in the configurations of the two negotiating parties.
Remote address not allowedA VPN client is trying to use an IP address that is out of the allowed address range. Make sure that all valid IP addresses are actually included in the range of allowed addresses for VPN Gateway and check the DHCP server configuration.
Remote ID mismatch

Remote identity [...] used in IKE negotiation doesn't match to policy [...]

The IKE Phase 1 ID defined for the external VPN gateway in the SMC is different from the ID with which the gateway actually identified itself. The ID and its type are set for each tunnel End-Point in the properties of the external Gateway. Note that if an IP address is used as identity, the IP address used as the identity can be different from the IP address used for communications.
SA unusableUsually means that an SA is being deleted when some new traffic arrives to use the tunnel.
Sending error notify: [...]This message is visible only when IPsec diagnostics are enabled.

Negotiations have failed and the Firewall/VPN is sending the error notification that is shown in this message to the other gateway.

SPD doesn't allow connection [...]Most likely indicates that the Site definitions do not match the IP addresses used. Check the addresses included under the Sites for both Gateways, and also that the translated addresses are included under the Site, if NAT is used for communications inside the VPN.
Timed outIndicates connection problems or that the other end has deleted the SA that the Firewall/VPN is using in the negotiation. Check the logs at the other end to see if the connection makes it through.
Traffic selector mismatchThere is a mismatch in the configurations of the two negotiating parties. You must define a matching pair for all settings; double-check all settings at both ends.
Tunnel policy mismatch [...]This message is visible only when IPsec diagnostics are enabled.

Usually indicates that IKE negotiations failed because of a mismatch in the configurations of the two negotiating parties.

Tunnel selection failedAn Access rule matched this connection, but the traffic could not be sent across the VPN. Most likely, this is due to the (possibly NATed) source or destination IP address not being included in the local or remote gateway's Site as required. This message also appears if a connection that is not intended for the VPN matches the VPN rule. Inbound cleartext traffic can be allowed from the same addresses as tunneled traffic with the Apply action in the VPN rule).
Tunnel type mismatch [...]This message is visible only when IPsec diagnostics are enabled.

Only site-to-site VPN or mobile VPN is configured, but the connecting device is of the other type. For example, a VPN client tries to connect, but VPN client access is not configured (correctly) on the gateway.

VPN error codes

Under some conditions, multiple IPsec VPN errors can be detected simultaneously and combined in a single log message.

The most significant error is shown as text, and the other detected errors are indicated using a combined (with bitwise OR) hexadecimal error code.

IKE Phase-1 Initiator error: Proposal did not match policy (100002).

Here, the hexadecimal codes
00100000 for “Proposal did not match policy” and
00000002 for “Peer IP address mismatch”) produces the code
00100002 = 100002.

The following table lists codes that are valid for engine software versions 5.0 and later.

Hex codeError message
00000020Access group mismatch
00008000Authentication method mismatch
00020000Encapsulation mode mismatch
00000002Peer IP address mismatch
00100000Proposal did not match policy
00400000Remote address not allowed
00000040Traffic selector mismatch (local)
00000080Traffic selector mismatch (remote)
00200000Tunnel type mismatch
00000200Remote ID mismatch
00000100
00000004
00000001
Internal configuration-related problems. See the other messages to troubleshoot.



Keywords: next generation firewall; ngfw; ipsec vpn; vpn notifications; vpn errors; vpn error codes; troubleshooting

Article Feedback



Thank you for the feedback and comments.