Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bsbesit
Explorer

IKE failure: Child SA exchange Issue

I have a L-71 unit that we are trying to connect to our other office. We managed to get connection after many hours of testing but we keep getting this error on both ends despite a good connection. So much as a single ping causes this error to fire. What is this and how do we fix it?

Description
IKE failure: Child SA exchange: Received notification from peer: Traffic selectors unacceptable

IKE Phase2 Message ID: 00000001
Reject Category: IKE failure
Encryption Scheme: IKEv2
VPN Feature: IKE

0 Kudos
3 Replies
_Val_
Admin
Admin

Versions used on both ends, details about your VPN config? What do you call "a good connection" in this context? 

0 Kudos
CaseyB
Collaborator

Traffic selectors are generally when one side proposes a host/subnet that is not defined on the other side. The log file should tell you which traffic selectors is providing the error, otherwise you'll have to do a debug to get that information.

If you send 10.20.30.0/24, that's how it needs to be defined on both sides. You would get an error if one side was 10.20.30.0/23 for example.

0 Kudos
PhoneBoy
Admin
Admin

L-71 is a 1400 Series for those playing along at home.

This message means the remote site doesn’t accept the proposed encryption domain (Traffic selectors) by current gateway.
This can indicate a configuration problem, such as:

  1. Missing subnets on either of the peers
  2. Unaligned tunnel sharing configurations (tunnel per gateway \ subnet \ address)
  3. Route all traffic configured on a site where other peer is oblivious.

Verify the following :

  1. Encryption domains are configured correctly on both peers.
  2. Tunnel sharing is aligned on both peers
  3. If route all traffic is configured on the site, confirm that "Allow traffic to the internet from remote site through this Security Gateway" is enabled under "advanced" tab on peer WebUI site configuration.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events