343
IKE negotiation failed because no IKE proposals or IKE
keychains are specified correctly
Symptom
1. The IKE SA is in Unknown state.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 192.168.222.5 Unknown IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
2. The following IKE event debugging or packet debugging message appeared:
IKE event debugging message:
Notification PAYLOAD_MALFORMED is received.
IKE packet debugging message:
Construct notification packet: PAYLOAD_MALFORMED.
Analysis
• If the following debugging information appeared, the matched IKE profile is not using the
matched IKE proposal:
Failed to find proposal 1 in profile profile1.
• If the following debugging information appeared, the matched IKE profile is not using the
matched IKE keychain:
Failed to find keychain keychain1 in profile profile1.
Solution
• Verify that the matched IKE proposal (IKE proposal 1 in this debugging message example) is
specified for the IKE profile (IKE profile 1 in the example).
• Verify that the matched IKE keychain (IKE keychain 1 in this debugging message example) is
specified for the IKE profile (IKE profile 1 in the example).
IPsec SA negotiation failed because no matching IPsec
transform sets were found
Symptom
1. The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is
in RD state, but the display ipsec sa command shows that the expected IPsec SA has not
been negotiated yet.
2. The following IKE debugging message appeared:
The attributes are unacceptable.
Or:
Construct notification packet: NO_PROPOSAL_CHOSEN.
Analysis
Certain IPsec policy settings are incorrect.
To Next Page
Loading...
Need help?
General