SRX Dynamic VPN – No proposal chosen (14)


When connecting trying to connect via Dynamic VPN your client displays the following error:

        IKE Negotiations Failed

Within the output of the IKE debug logs you see the following error:

Jul 26 11:35:46 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 …, data[0..0] = 00000000 00000000 …
Jul 26 11:35:46 (Responder) <-> { 00fe74bf 0a35dc4b – 6b54adf2 f3b80138 [0] / 0x96a65592 } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it


This can occur when users do not correctly logout of the VPN client. The corresponding IKE cookie is not then correctly removed. As the IKE cookie contains the IP address and user name of the client, the user can then not connect via their same IP address.

To ensure the IKE cookie is removed a idle-timeout setting (of 5 minutes) is defined.

root# set security ipsec vpn <VPN> ike idle-time 300
root# commit

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial