fir3net
PPS-Firenetbanner-780.5x190-30-03-17

SRX Dynamic VPN - No proposal chosen (14)

Issue

When connecting trying to connect via Dynamic VPN your client displays the following error:

        IKE Negotiations Failed

Within the output of the IKE debug logs you see the following error:

Jul 26 11:35:46 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 ..., data[0..0] = 00000000 00000000 ...
Jul 26 11:35:46 8.1.2.3:500 (Responder) <-> 9.1.2.3:13820 { 00fe74bf 0a35dc4b - 6b54adf2 f3b80138 [0] / 0x96a65592 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it

Solution

This can occur when users do not correctly logout of the VPN client. The corresponding IKE cookie is not then correctly removed. As the IKE cookie contains the IP address and user name of the client, the user can then not connect via their same IP address.

To ensure the IKE cookie is removed a idle-timeout setting (of 5 minutes) is defined.

root# set security ipsec vpn <VPN> ike idle-time 300
root# commit

Tags: VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001