VPN errors
The following table lists common errors that indicate problems in an IPsec VPN tunnel.
The log messages inform you about the stage of negotiations and then give the actual error message, for example, “IKE Phase-2 error: No proposal chosen.” The table lists only the actual message part without more variable details such as IP addresses or identifiers.
Error message | Description |
---|---|
Access group mismatch | The connecting VPN client is not authorized. |
Authentication failed | One of the parties rejected the authentication credentials or something went wrong during the authentication process. If the problem is not apparent in the available logs, activate diagnostics to generate more verbose logs that give you more information about the next negotiations. |
Authentication method mismatch | The authentication method used by the other gateway is not allowed in the configuration of this gateway. Check the settings in the VPN Profile that is selected for this VPN. |
Cannot get policy [...] No matching connection | Might indicate that the gateway has no valid VPN certificate. |
Can not get QM policy [...] |
Indicates that there is a mismatch in granularity settings between the negotiating gateways. In the Firewall/VPN, granularity is controlled with the Security Association Granularity setting on the IPsec Settings tab of the VPN Profile. |
Could not allocate inbound SPI | Indications that the gateway has run out of memory. The reason for this might be inappropriate configuration settings (such as using the "SA per host" setting with a very large number of hosts) in addition to other reasons (such as hardware specifications). |
Could not create outbound IPsec rule | |
Could not register outbound SPI | |
Old outbound SPI entry not found | |
Out of memory | |
SA install failed | |
Session attaching failed | |
Transform creation failed | |
Dead peer detection failed IKE peer was found dead [...] |
Dead peer detection checks the other gateway periodically when the VPN is established. If no response is received, the VPN tunnel is closed. Indicates that the other gateway is down, unreachable, or considers the VPN tunnel already closed. |
Encapsulation mode mismatch | Encapsulation modes (AH or ESP) did not match between gateways. |
IKE error notify received: [...] |
This message is visible only when IPsec diagnostics are enabled. The other gateway has sent the error notification that is shown in this message. |
IKE negotiation rate-limit reached, discard connection |
This message is visible only when IPsec diagnostics are enabled. There is an excessive number of new VPN connection attempts within a short period of time. This mechanism is meant to protect the firewall from certain types of denial-of-service attacks. |
Invalid argument | Generic error. Check the other log messages for more useful information. If the problem is not apparent in the available logs, activate diagnostics to generate more verbose logs that give you more information about the next negotiations. |
Invalid syntax | |
IPsec SA proposal not accepted |
This message is visible only when IPsec diagnostics are enabled. The VPN gateway at the other end of the tunnel sent a proposal that the Firewall/VPN gateway could not accept. This message includes information about the rejected proposal and a further log message should contain information about the Firewall/VPN's local proposal. |
NAT-T is not allowed for this peer |
This message is visible only when IPsec diagnostics are enabled. NAT-T was requested by the other gateway but it is not allowed in the configuration of the gateway that sends this message. |
No proposal chosen | IKE negotiations failed. If the problem is not apparent in the available logs, activate diagnostics to generate more verbose logs that give you more information about the next negotiations. |
Payload malformed [...] | Most likely due to a mismatch in preshared keys between the initiator and the responder. The reason might also be corruption of packets in transit. |
Peer IP address mismatch | The IP address of the other gateway uses is not configured as a VPN gateway end-point on this gateway. |
Proposal did not match policy | There is a mismatch in the configurations of the two negotiating parties. |
Remote address not allowed | A VPN client is trying to use an IP address that is out of the allowed address range. Make sure that all valid IP addresses are actually included in the range of allowed addresses for VPN Gateway and check the DHCP server configuration. |
Remote ID mismatch | The IKE Phase 1 ID defined for the external VPN gateway in the SMC is different from the ID with which the gateway actually identified itself. The ID and its type are set for each tunnel End-Point in the properties of the external Gateway. Note that if an IP address is used as identity, the IP address used as the identity can be different from the IP address used for communications. |
Remote identity [...] used in IKE negotiation doesn't match to policy [...] | |
SA unusable | Usually means that an SA is being deleted when some new traffic arrives to use the tunnel. |
Sending error notify: [...] |
This message is visible only when IPsec diagnostics are enabled. Negotiations have failed and the Firewall/VPN is sending the error notification that is shown in this message to the other gateway. |
SPD doesn't allow connection [...] | Most likely indicates that the Site definitions do not match the IP addresses used. Check the addresses included under the Sites for both Gateways, and also that the translated addresses are included under the Site, if NAT is used for communications inside the VPN. |
Timed out | Indicates connection problems or that the other end has deleted the SA that the Firewall/VPN is using in the negotiation. Check the logs at the other end to see if the connection makes it through. |
Traffic selector mismatch | There is a mismatch in the configurations of the two negotiating parties. You must define a matching pair for all settings; double-check all settings at both ends. |
Tunnel policy mismatch [...] |
This message is visible only when IPsec diagnostics are enabled. Usually indicates that IKE negotiations failed because of a mismatch in the configurations of the two negotiating parties. |
Tunnel selection failed | An Access rule matched this connection, but the traffic could not be sent across the VPN. Most likely, this is due to the (possibly NATed) source or destination IP address not being included in the local or remote gateway's Site as required. This message also appears if a connection that is not intended for the VPN matches the VPN rule. Inbound cleartext traffic can be allowed from the same addresses as tunneled traffic with the Apply action in the VPN rule). |
Tunnel type mismatch [...] |
This message is visible only when IPsec diagnostics are enabled. Only site-to-site VPN or mobile VPN is configured, but the connecting device is of the other type. For example, a VPN client tries to connect, but VPN client access is not configured (correctly) on the gateway. |