Ipsec Sa Negotiation Failed Due To Invalid Identity Information - HP MSR2000 Configuration Manual
Hide thumbs
Also See for MSR2000:
- Configuration manual (455 pages) ,
- Manual (73 pages) ,
- High availability configuration manual (91 pages)
Table of Contents
Advertisement
Construct notification packet: NO_PROPOSAL_CHOSEN.
Analysis
Certain IPsec policy settings are incorrect.
Solution
1.
Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets.
2.
Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets.
IPsec SA negotiation failed due to invalid identity information
Symptom
1.
The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD
state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated
yet.
2.
The following IKE debugging message appeared:
Notification INVALID_ID_INFORMATION is received.
Or:
Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA.
Construct notification packet: INVALID_ID_INFORMATION.
Analysis
Certain IPsec policy settings of the responder are incorrect. Check the settings as follows:
1.
Use the display ike sa verbose command to check whether matching IKE profiles were found in IKE
negotiation phase 1. If no matching IKE profiles were found and the IPsec policy is referencing an
IKE profile, the IPsec SA negotiation fails.
# Check whether matching IKE profiles were found in IKE negotiation phase 1.
[Sysname] display ike sa verbose
-----------------------------------------------
Connection ID: 3
Outside VPN:
Inside VPN:
Profile:
Transmitting entity: Responder
-----------------------------------------------
Local IP: 192.168.222.5
Local ID type: IPV4_ADDR
Local ID: 192.168.222.5
Remote IP: 192.168.222.71
Remote ID type: IPV4_ADDR
Remote ID: 192.168.222.71
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: MD5
Encryption-algorithm: 3DES-CBC
207
Advertisement
Table of Contents
Troubleshooting
