Re: VPN Configuration Between ASA and Juniper SRX345

tde23 · ‎06-22-2018

Hi All,

I am trying to get a tunnel up between an ASA and a Juniper SRX345. I am trying to configure the VPN tunnel for multiple object groups and the tunnel repeatedly errors out:

Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: xxx.xxx.xxx.xxx Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: xxx.xxx.xxx.xxx Protocol: 0 Port Range: 0-65535

I have confirmed that the addresses are correct multiple times. The Juniper SRX345 peer keeps throwing an error:

IKE negotiation failed with error: Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA. Negotiation failed.

This error started after I added a new range to one of my object groups. The tunnel came up briefly (unable to connect to the newly added range) and then went down a couple of hours later and refuses to come back up. Has anyone seen this behavior before?

aurelnegrescu · ‎10-27-2018

traffic selectors are related to phase2 vpn configuration.

I'm getting such errors when I'm trying to modify default lifetime from 3600seconds to a larger period, 28800 for example, which is the default for ASA.

Each time hardlifetime expires and it has to rekey, I received these...

Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA. Negotiation failed. (15 times)

And errors like these:

Oct 27 01:13:49 SRX1500-1 kmd[7843]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-name, Peer Proposed traffic-selector local-ip: ipv4(....),ipv4(...0-...63), Peer Proposed traffic-selector remote-ip: ipv4(....0),ipv4(....0-.....255)
Oct 27 01:13:49 SRX1500-1 kmd[7843]: IPSec negotiation failed with error: Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA. Negotiation failed.. IKE Version: 2, VPN: vpn-name Gateway: gateway-name, Local: local-peer/500, Remote: remote-peer/500, Local IKE-ID: local-ike-id, Remote IKE-ID: remote-ike-id, VR-ID: 0

If anyone can explain ths or has possibility to test this... or if anyone has an ASA, we could test it together.

Thanks!

Interesting thing is that I'm not receiving this errors from other SRXs I peer with no matter what the lifetime value I set.

Rob Ingram · ‎10-27-2018

On the juniper configuration are you grouping multiple networks and using the group in the policy? When establishing a VPN to a Cisco (and probably other manufacturers) you would need to create a separate policy per network rather than grouping.

JavierC · ‎09-19-2019

Hello, I know this is an old post. I'm having the same problem. My ACL matches the traffic-selector. Do you know what are the missmaching attributes reported in message?
Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA. Negotiation failed.
Regards,

JavierC · ‎09-19-2019

Looks like my problem is relared to bug CSCue42170.

Krishan PalSingh · ‎01-22-2020

Hello,

I know this is old thread. But I hope this will help others to solve it if appears.

By default when Cisco is initiator, it'll include proxy ID's as well as IP originating connection (for example 192.160.0.0/24,192.160.0.100) and share it with peer (which is Juniper in this case). However Juniper does not understand this format, and will reject this with such given error. I dont see a Cisco configuration which might stop sending this originator IP address to Juniper. But as a workaround you may want to configure the tunnel one-way. Set Juniper as Initiator always and Cisco as responder always. This should solve your problem. Perhaps you may want to ensure, there's always a device trying to access some IP on ASA end.