Solved: Re: No proposal chosen on FMC managed FTDv - any helpful debug command

Valkyrie3 · ‎05-01-2025

I have an FMC 2700 on version 7.4.2.1 which is managing an FTDv running 7.2.9 and having a problem getting a site to site VPN working, it's the 5th one I've set up and the first one to this particular company (the other four have all worked fine first time) and in the FMC it shows an amber status with No Active Data. I've tried pinging an address on the site the VPN is connecting to and running an external packet capture and I can see the firewall does send data on port 500 to the other site and it gets a response back on port 500. That packet contains the message 'Notify Message Type: NO_PROPOSAL_CHOSEN (14)'

On the FMC Enable logging to Secure Firewall Management Center is enabled and when I set logging to 7 - debugging and check Devices-VPN-Troubleshooting I can see the same sequence and message "IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify"

I tried adding debug crypto ikev2 platform and protocol commands to the firewall but I couldn't see any additional data in the logs. Are there any debug commands that would help with this error and would they show in VPN troublehshooting logs?

Valkyrie3 · ‎05-07-2025

The vendor has replied saying they changed the local and remote CIDR's on their side which brought the phase one tunnel up but there was an authentication error. I changed to a new shared secret and provided it to the vendor so the VPN is now finally showing as green although I've not been able to get traffic running over it yet, it's a lot further forward than last week. Aside from updating the shared secret there's been no change to the configuration on my side so the issues were at the other end.

Thanks again for the help in diagnosing the problem which has been useful to learn.

View solution in original post

nspasov · ‎05-01-2025

Hard to tell without additional details but mostly likely you have a mismatch crypto configuration. A few questions:

Are both VPN devices FTD?
What does the output from packet-tracer look like?
Can you share the crypto configurations from both devices?

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Valkyrie3 · ‎05-02-2025

Thanks for the reply, I take it there aren't any further debug commands which would help narrow the problem down further?

1 - I don't know what the other device is and the next step is to speak further with the other company and compare settings, I was wanting to ensure there wasn't a mistake on my side

2 - If I run the command packet-tracer input inside icmp <internal IP> 8 0 <remote VPN ID> detailed, it passes until Phase 8 when it shows type VPN, Subtype encrypt, Result Drop. The result shows Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055856b18eaf0 flow (NA)/NA

I've checked the ACL hit counts and the correct permit rule is definitely incrementing when I run this command although I don't really understand what this command can do if the tunnel itself isn't coming up? I've run an external packet capture at the same time and I can see the same packets on port 500 going out to the other endpoint and coming back with the no proposal chosen message

3 - I've not seen the other side's config but the provided this (plus the key):

Phase 1
Encryption Scheme – IKE v2
Encryption Algorithm – AES256
Hashing Algorithm – SHA512
DH Group – 21
Lifetime – 28800

Phase 2
Encapsulation – ESP
Encryption Scheme – IKE v2
Encryption Algorithm – AES256
Authentication Algorithm – SHA512
DH Group – 21
Lifetime – 3600

I think this is the relevant output from the firewall after running show run crypto and removing the other VPNs on my side:
crypto ipsec ikev2 ipsec-proposal CSM_IP_2
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto map CSM_Outside_map 5 match address CSM_IPSEC_ACL_6
crypto map CSM_Outside_map 5 set pfs group21
crypto map CSM_Outside_map 5 set peer <remote IP>
crypto map CSM_Outside_map 5 set ikev2 ipsec-proposal CSM_IP_2
crypto map CSM_Outside_map 5 set security-association lifetime seconds 3600
crypto map CSM_Outside_map 5 set reverse-route
crypto map CSM_Outside_map interface Outside
crypto isakmp identity address
crypto ikev2 policy 3
encryption aes-256
integrity sha512
group 21
prf sha512
lifetime seconds 28800
crypto ikev2 enable Outside

MHM Cisco World · ‎05-02-2025

Debug ikev2 protocol <10>

Debug ikev2 packet <10>

Please share output of above

MHM

Valkyrie3 · ‎05-02-2025

Where will the output of the commands show, if I set the main logging or VPN logging to 7-debug I get a lot of messages and not sure of the easiest way to find the specific ones relating to the debug commands. The logging is configured to send debug messages to syslog, if I turn that off will it only the debug message output from those commands in the console?

MHM Cisco World · ‎05-02-2025

access ftd via cli and run debug

MHM

Valkyrie3 · ‎05-02-2025

I couldn't find a packet option so I ran the debug crypto ikev2 platform 10 and debug crypto ikev2 protocol 10 which produced the output below (there's a lot of other VPN traffic but I think this is everything related to the one I'm troubleshooting)

I'm a bit confused why it's showing messages about the DH group as 19 not 21:

IKEv2-PROTO-4: (1208): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19

IKEv2-PLAT-4: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: attempting to find tunnel group for IP: <VPN Target IP>
IKEv2-PLAT-4: mapped to tunnel group <VPN Target IP> using peer IP
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: ISAKMP P1 ID = 254
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: Received PFKEY SPI callback for SPI 0x5A1109D8, error FALSE
IKEv2-PLAT-4:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-4: tp_name set to:
IKEv2-PLAT-4: tg_name set to: <VPN Target IP>
IKEv2-PLAT-4: tunn grp type set to: L2L
IKEv2-PLAT-7: New ikev2 sa request admitted
IKEv2-PLAT-7: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (1208): Setting configured policies
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (1208): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
IKEv2-PROTO-4: (1208): Request queued for computation of DH key
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (1208): Action: Action_Null
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (1208): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (1208): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1208): AES-CBC(1208): SHA256(1208): SHA256(1208): DH_GROUP_256_ECP/Group 19IKEv2-PROTO-4: (1208): IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1208): AES-CBC(1208): SHA512(1208): SHA512(1208): DH_GROUP_521_ECP/Group 21IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(1208):
IKEv2-PROTO-4: (1208): Sending Packet [To <VPN Target IP>:500/From <VPN Source IP>:500/VRF i0:f0]
(1208): Initiator SPI : 3476ED28CD832C62 - Responder SPI : 0000000000000000 Message id: 0
(1208): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1208): Next payload: SA, version: 2.0 (1208): Exchange type: IKE_SA_INIT, flags: INITIATOR (1208): Message id: 0, length: 426(1208):
Payload contents:
(1208): SA(1208): Next payload: KE, reserved: 0x0, length: 92
(1208): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(1208): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1208): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1208): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1208): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(1208): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4(1208): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1208): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1208): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(1208): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(1208): KE(1208): Next payload: N, reserved: 0x0, length: 72
(1208): DH group: 19, Reserved: 0x0
(1208):
(1208): 83 d9 e9 7f 85 59 1d 4a 78 0a 6d 06 ea a0 92 3f
(1208): 95 a5 71 46 dd 86 89 26 bc 4c 77 09 df ca d8 b9
(1208): 1b 66 86 e9 4d 9e 83 a8 ed e0 c1 61 10 ef 87 5d
(1208): 6f bc dd 80 0f 6f 79 b1 31 87 43 79 da 94 de b0
(1208): N(1208): Next payload: VID, reserved: 0x0, length: 68
(1208):
(1208): da ce 66 52 35 48 c8 0f a8 f5 85 90 5d c0 1e bf
(1208): a8 83 b0 0c df ff ca f9 a3 ec bc aa ab 49 97 d7
(1208): 96 ed 4a d7 93 f5 b7 22 24 a9 10 10 b1 b0 78 ec
(1208): 38 2a 7e c7 5d 48 17 81 64 d5 5d 6e 37 c9 1c 61
(1208): VID(1208): Next payload: VID, reserved: 0x0, length: 23
(1208):
(1208): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(1208): 53 4f 4e
(1208): VID(1208): Next payload: NOTIFY, reserved: 0x0, length: 59
(1208):
(1208): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(1208): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(1208): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(1208): 73 2c 20 49 6e 63 2e
(1208): NOTIFY(NAT_DETECTION_SOURCE_IP)(1208): Next payload: NOTIFY, reserved: 0x0, length: 28
(1208): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(1208):
(1208): 40 37 56 e8 6d 3d 82 29 dd b5 ff cc 41 f4 5c bc
(1208): e2 9f 0d 76
(1208): NOTIFY(NAT_DETECTION_DESTINATION_IP)(1208): Next payload: NOTIFY, reserved: 0x0, length: 28
(1208): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(1208):
(1208): 03 78 cc a8 e8 4a f2 98 08 47 5e 31 d1 57 4c ed
(1208): 79 f7 66 16
(1208): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(1208): Next payload: VID, reserved: 0x0, length: 8
(1208): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(1208): VID(1208): Next payload: NONE, reserved: 0x0, length: 20
(1208):
(1208): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(1208):
IKEv2-PLAT-5: (1208): SENT PKT [IKE_SA_INIT] [<VPN Source IP>]:500->[<VPN Target IP>]:500 InitSPI=0x3476ed28cd832c62 RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (1208): Insert SA
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PLAT-5: RECV PKT [IKE_SA_INIT] [<VPN Target IP>]:500->[<VPN Source IP>]:500 InitSPI=0x3476ed28cd832c62 RespSPI=0x9563332c1f69e072 MID=00000000
(1208):
IKEv2-PROTO-4: (1208): Received Packet [From <VPN Target IP>:500/To <VPN Source IP>:500/VRF i0:f0]
(1208): Initiator SPI : 3476ED28CD832C62 - Responder SPI : 9563332C1F69E072 Message id: 0
(1208): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (1208): Next payload: NOTIFY, version: 2.0 (1208): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (1208): Message id: 0, length: 36(1208):
Payload contents:
IKEv2-PROTO-7: Parse Notify Payload: NO_PROPOSAL_CHOSEN(1208): NOTIFY(NO_PROPOSAL_CHOSEN)(1208): Next payload: NONE, reserved: 0x0, length: 8
(1208): Security protocol id: Unknown - 0, spi size: 0, type: NO_PROPOSAL_CHOSEN
(1208):
(1208): Decrypted packet:(1208): Data: 36 bytes
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=9563332C1F69E072 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (1208): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=9563332C1F69E072 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (1208): Processing IKE_SA_INIT message
IKEv2-PROTO-2: (1208): Received no proposal chosen notify
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=9563332C1F69E072 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-4: (1208): Failed SA init exchange
IKEv2-PROTO-2: (1208): Initial exchange failed
IKEv2-PROTO-2: (1208): Initial exchange failed
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=9563332C1F69E072 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=9563332C1F69E072 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PLAT-7: Negotiating SA request deleted
IKEv2-PLAT-7: Decrement count for outgoing negotiating
IKEv2-PROTO-7: (1208): SM Trace-> SA: I_SPI=3476ED28CD832C62 R_SPI=9563332C1F69E072 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (1208): Abort exchange
IKEv2-PROTO-4: (1208): Deleting SA
IKEv2-PLAT-4: (1208): PSH cleanup
IKEv2-PLAT-4: Received PFKEY delete SA for SPI 0x5A1109D8 error FALSE
IKEv2-PLAT-4: PFKEY Delete Ack from IPSec
IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [129.213.77.178]:4500->[<VPN Source IP>]:4500 InitSPI=0x631ee95ac107daf2 RespSPI=0x480d62d03290738f MID=0000005e
IKEv2-PROTO-7: (1202): Request has mess_id 94; expected 94 through 94

MHM Cisco World · ‎05-02-2025

type: 1, reserved: 0x0, id: AES-CBC
(1208): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1208): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1208): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(1208): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4(1208): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1208): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1208): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(1208): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21

This proposal send or receive.

I see AES is not compatible maybe' try match AES in both side

MHM

Valkyrie3 · ‎05-02-2025

Thanks for having a look through that text, is that the AES setting on the ESP encryption for the IPsec proposal you think isn't correct?

Also does "type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19" mean it's using DH group 19 or something else?

MHM Cisco World · ‎05-02-2025

can I know the remote peer is it ftd?

what ver. of ftd you run

MHM

Valkyrie3 · ‎05-02-2025

I'm on 7.2.9, I don't know what the vendor is on yet. They've offered to have a call to try and sort this out so I'm hoping to get more information next week.

Valkyrie3 · ‎05-07-2025

The vendor has replied saying they changed the local and remote CIDR's on their side which brought the phase one tunnel up but there was an authentication error. I changed to a new shared secret and provided it to the vendor so the VPN is now finally showing as green although I've not been able to get traffic running over it yet, it's a lot further forward than last week. Aside from updating the shared secret there's been no change to the configuration on my side so the issues were at the other end.

Thanks again for the help in diagnosing the problem which has been useful to learn.

nspasov · ‎05-07-2025

Fantastic news! Thank you for taking the time to come back and provide an update which may be useful for others facing a similar problem. If you get the chance, please mark the thread as resolved.

Thank you for rating helpful posts!

Thank you for rating helpful posts!

No proposal chosen on FMC managed FTDv - any helpful debug commands?