Powered by Blogger.

SRX Dynamic VPN - No proposal chosen


When connecting trying to connect via Dynamic VPN your client displays the following error:

IKE Negotiations FailedWithin the output of the IKE debug logs you see the following error:

Jul 26 11:35:46 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 ..., data[0..0] = 00000000 00000000 ...
Jul 26 11:35:46 (Responder) <-> { 00fe74bf 0a35dc4b - 6b54adf2 f3b80138 [0] / 0x96a65592 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it


This can occur when users do not correctly logout of the VPN client. The corresponding IKE cookie is not then correctly removed. As the IKE cookie contains the IP address and user name of the client, the user can then not connect via their same IP address.

To ensure the IKE cookie is removed a idle-timeout setting (of 5 minutes) is defined.

root# set security ipsec vpn <VPN> ike idle-time 300
root# commit
    Blogger Comment
    Facebook Comment