SRX Dynamic VPN – No proposal chosen (14)

Issue

When connecting trying to connect via Dynamic VPN your client displays the following error:

        IKE Negotiations Failed

Within the output of the IKE debug logs you see the following error:

Jul 26 11:35:46 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 …, data[0..0] = 00000000 00000000 …
Jul 26 11:35:46 8.1.2.3:500 (Responder) <-> 9.1.2.3:13820 { 00fe74bf 0a35dc4b – 6b54adf2 f3b80138 [0] / 0x96a65592 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it

Solution

This can occur when users do not correctly logout of the VPN client. The corresponding IKE cookie is not then correctly removed. As the IKE cookie contains the IP address and user name of the client, the user can then not connect via their same IP address.

To ensure the IKE cookie is removed a idle-timeout setting (of 5 minutes) is defined.

root# set security ipsec vpn <VPN> ike idle-time 300
root# commit

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial