Announcement

Collapse
No announcement yet.

IKE phase 2 failure: No proposal chosen (14)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IKE phase 2 failure: No proposal chosen (14)

    I'm trying to setup a VPN between a CISCO ASA 5505 and a ASA 5520, but it's falling over in phase 2 of the setup.

    Log extract: (read from bottom to top, remote IP replaced with 2.2.2.2)
    Code:
    Group = 2.2.2.2, Username = 2.2.2.2, IP = syscon_endpoint, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
    Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from correlator table failed, no match!
    Group = 2.2.2.2, IP = 2.2.2.2, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Group = 2.2.2.2, IP = 2.2.2.2, Connection terminated for peer 2.2.2.2.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
    Group = 2.2.2.2, IP = 2.2.2.2, Received non-routine Notify message: No proposal chosen (14)
    Group = 2.2.2.2, IP = 2.2.2.2, De-queuing KEY-ACQUIRE messages that were left pending.
    Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED

    "Received non-routine Notify message: No proposal chosen (14)" looks to be the key error, but I can't figure out why it is occuring and my internet research has not come up with any answers. As far as I can tell both ASAs have the same settings:

    Code:
    crypto ipsec transform-set remote_trans esp-aes-256 esp-sha-hmac
    
    crypto map remote_map 30 match address REMOTE
    crypto map remote_map 30 set peer remote_endpoint
    crypto map remote_map 30 set transform-set remote_trans
    crypto isakmp enable outside
    crypto isakmp policy 30
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    
    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 ipsec-attributes
     pre-shared-key *


    Is there a different place I have to look to see the phase2 IKE settings to ensure they match? I've tried configuring our end using both the IOS command line and the ADSM VPN wizard, but with the same results. Any help would be appreciated.

    Edit Dumber:
    Removed the small font size to keep it readable.
    Last edited by Dumber; 21st November 2008, 19:34.

  • #2
    Re: IKE phase 2 failure: No proposal chosen (14)

    There a couple of things to check:

    Check the encryption levels.
    Check the Pre-shared keys
    Check the networks.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: IKE phase 2 failure: No proposal chosen (14)

      Encryption settings are the same both ends, as are the subnet settings being used. The pre-shared key is correct (changing it causes phase 1 to fail) and we're really at a loss here.

      Comment


      • #4
        Re: IKE phase 2 failure: No proposal chosen (14)

        Originally posted by DrStalker View Post
        Encryption settings are the same both ends, as are the subnet settings being used.
        If I understand you correct, you are using the same IP/Subnets on both sides?
        Best regards,
        Carsten.

        Comment


        • #5
          Re: IKE phase 2 failure: No proposal chosen (14)

          We figured this out - the remote ASA was not licensed to use AES. Switching to 3DES fixed this up.

          Thanks everyone!

          Comment


          • #6
            Re: IKE phase 2 failure: No proposal chosen (14)

            So not the same encryption settings
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment

            Working...
            X