VPN Errors

The table below lists common errors that indicate problems in an IPsec VPN tunnel. The log messages inform you about the stage of negotiations and then give the actual error message, for example, “IKE Phase-2 error: No proposal chosen”. The table lists only the actual message part without additional variable details such as IP addresses or identifiers.

Error Message

Description

Access group mismatch

The connecting VPN client is not authorized.

Authentication failed

One of the parties rejected the authentication credentials or something went wrong during the authentication process. If the problem is not apparent in the available logs, activate diagnostics to generate more verbose logs that give you more information about the next negotiations.

Authentication method mismatch

The authentication method used by the other gateway is not allowed in the configuration of this gateway. Check the settings in the VPN Profile that is selected for this VPN.

Can not get policy [...] No matching connection

May indicate that the gateway has no valid VPN certificate.

Can not get QM policy [...]

Indicates that there is a mismatch in granularity settings between the negotiating gateways.

In StoneGate, granularity is controlled with the Security Association Granularity setting on the IPsec Settings tab of the VPN Profile.

Could not allocate inbound SPI

Indications that the gateway has run out of memory. The reasons for this may include inappropriate configuration settings (such as using the “SA per host” setting with a very large number of hosts) in addition to other considerations (such as hardware specifications).

Could not create outbound IPsec rule

Could not register outbound SPI

Old outbound SPI entry not found

Out of memory

SA install failed

Session attaching failed

Transform creation failed

Dead peer detection failed

IKE peer was found dead [...]

Dead peer detection checks the other gateway periodically when the VPN is established. If no response is received, the VPN tunnel is closed. Indicates that the other gateway is down, unreachable, or considers the VPN tunnel already closed.

Encapsulation mode mismatch

Encapsulation modes (AH and/or ESP) did not match between gateways.

IKE error notify received: [...]

This message is visible only when IPsec diagnostics are enabled.

The other gateway has sent the error notification that is shown in this message.

IKE negotiation rate-limit reached, discard connection

This message is visible only when IPsec diagnostics are enabled.

There is an excessive number of new VPN connection attempts within a short period of time. This mechanism is meant to protect the firewall from certain types of denial-of-service attacks.

Invalid argument

Generic error. Check the other log messages for more useful information. If the problem is not apparent in the available logs, activate diagnostics to generate more verbose logs that give you more information about the next negotiations.

Invalid syntax

IPsec SA proposal not accepted

This message is visible only when IPsec diagnostics are enabled.

The VPN gateway at the other end of the tunnel sent a proposal that the StoneGate gateway could not accept. This message includes information about the rejected proposal and a further log message should contain information on StoneGate’s local proposal.

NAT-T is not allowed for this peer

This message is visible only when IPsec diagnostics are enabled.

NAT-T was requested by the other gateway but it is not allowed in the configuration of the gateway that sends this message.

No proposal chosen

IKE negotiations failed. If the problem is not apparent in the available logs, activate diagnostics to generate more verbose logs that give you more information about the next negotiations.

Payload malformed [...]

Most likely due to a mismatch in preshared keys between the initiator and the responder. May also be due to corruption of packets in transit.

Peer IP address mismatch

The IP address of the other gateway uses is not configured as a VPN gateway end-point on this gateway.

Proposal did not match policy

There is a mismatch in the configurations of the two negotiating parties.

Remote address not allowed

A VPN client is trying to use an IP address that is out of the allowed address range. Make sure all valid IP addresses are actually included in the range of allowed addresses in the Internal VPN Gateway properties and check the DHCP server configuration.

Remote ID mismatch

The IKE Phase 1 ID defined for the external security gateway in StoneGate is different from the ID with which the gateway actually identified itself. The ID and its type are set for each tunnel End-Point in the properties of the external Gateway. Note that if an IP address is used as identity, the IP address used as the identity may be different from the IP address used for communications.

Remote identity [...] used in IKE negotiation doesn’t match to policy [...]

SA unusable

Usually means that an SA is being deleted when some new traffic arrives to use the tunnel.

Sending error notify: [...]

This message is visible only when IPsec diagnostics are enabled.

Negotiations have failed and StoneGate is sending the error notification that is shown in this message to the other gateway.

SPD doesn’t allow connection [...]

Most likely indicates that the Site definitions do not match the IP addresses used. Check the addresses included under the Sites for both Gateways, and also that the translated addresses are included under the Site, if NAT is used for communications inside the VPN.

Timed out

Indicates connection problems or that the other end has deleted the SA that StoneGate is using in the negotiation. Check the logs at the other end to see if the connection makes it through.

Traffic selector mismatch

There is a mismatch in the configurations of the two negotiating parties. You must define a matching pair for all settings; double-check all settings at both ends.

Tunnel policy mismatch [...]

This message is visible only when IPsec diagnostics are enabled.

Usually indicates IKE negotiations failed because of a mismatch in the configurations of the two negotiating parties.

Tunnel selection failed

An Access rule matched this connection, but the traffic could not be sent across the VPN. Most likely, this is due to the (possibly NATed) source or destination IP address not being included in the local or remote gateway’s Site as required. This message also appears if a connection that is not intended for the VPN matches the VPN rule (note that inbound cleartext traffic can be allowed from the same addresses as tunneled traffic with the Apply action in the VPN rule).

Tunnel type mismatch [...]

This message is visible only when IPsec diagnostics are enabled.

Only gateway-to-gateway VPN or client-to-gateway VPN is configured, but the connecting device is of the other type. For example, a VPN client tried to connect, but VPN client access is not configured (correctly) on the gateway.