SRX Dynamic VPN - No proposal chosen (14)


When connecting trying to connect via Dynamic VPN your client displays the following error:

        IKE Negotiations Failed

Within the output of the IKE debug logs you see the following error:

Jul 26 11:35:46 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 ..., data[0..0] = 00000000 00000000 ...
Jul 26 11:35:46 (Responder) <-> { 00fe74bf 0a35dc4b - 6b54adf2 f3b80138 [0] / 0x96a65592 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it


This can occur when users do not correctly logout of the VPN client. The corresponding IKE cookie is not then correctly removed. As the IKE cookie contains the IP address and user name of the client, the user can then not connect via their same IP address.

To ensure the IKE cookie is removed a idle-timeout setting (of 5 minutes) is defined.

root# set security ipsec vpn <VPN> ike idle-time 300
root# commit

Tags: VPN

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001