06-22-2018 09:30 AM - last edited on 03-25-2019 06:15 PM by ciscomoderator
Hi All,
I am trying to get a tunnel up between an ASA and a Juniper SRX345. I am trying to configure the VPN tunnel for multiple object groups and the tunnel repeatedly errors out:
Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: xxx.xxx.xxx.xxx Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: xxx.xxx.xxx.xxx Protocol: 0 Port Range: 0-65535
I have confirmed that the addresses are correct multiple times. The Juniper SRX345 peer keeps throwing an error:
IKE negotiation failed with error: Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA. Negotiation failed.
This error started after I added a new range to one of my object groups. The tunnel came up briefly (unable to connect to the newly added range) and then went down a couple of hours later and refuses to come back up. Has anyone seen this behavior before?
10-27-2018 12:00 AM
traffic selectors are related to phase2 vpn configuration.
I'm getting such errors when I'm trying to modify default lifetime from 3600seconds to a larger period, 28800 for example, which is the default for ASA.
Each time hardlifetime expires and it has to rekey, I received these...
Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA. Negotiation failed. (15 times)
And errors like these:
Oct 27 01:13:49 SRX1500-1 kmd[7843]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-name, Peer Proposed traffic-selector local-ip: ipv4(....),ipv4(...0-...63), Peer Proposed traffic-selector remote-ip: ipv4(....0),ipv4(....0-.....255)
Oct 27 01:13:49 SRX1500-1 kmd[7843]: IPSec negotiation failed with error: Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA. Negotiation failed.. IKE Version: 2, VPN: vpn-name Gateway: gateway-name, Local: local-peer/500, Remote: remote-peer/500, Local IKE-ID: local-ike-id, Remote IKE-ID: remote-ike-id, VR-ID: 0
If anyone can explain ths or has possibility to test this... or if anyone has an ASA, we could test it together.
Thanks!
Interesting thing is that I'm not receiving this errors from other SRXs I peer with no matter what the lifetime value I set.
10-27-2018 03:08 AM
09-19-2019 07:40 AM
09-19-2019 09:47 AM
01-22-2020 04:38 AM
Hello,
I know this is old thread. But I hope this will help others to solve it if appears.
By default when Cisco is initiator, it'll include proxy ID's as well as IP originating connection (for example 192.160.0.0/24,192.160.0.100) and share it with peer (which is Juniper in this case). However Juniper does not understand this format, and will reject this with such given error. I dont see a Cisco configuration which might stop sending this originator IP address to Juniper. But as a workaround you may want to configure the tunnel one-way. Set Juniper as Initiator always and Cisco as responder always. This should solve your problem. Perhaps you may want to ensure, there's always a device trying to access some IP on ASA end.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide