Create a Post
Showing results for 
Search instead for 
Did you mean: 

Phase 2 Site-to-site VPN error

I have a Site-to-site VPN configured between checkpoint and cisco ASA.
When I check through SmartView Monitor, I see that my tunnel is up.

But when I start communication, the first phase goes well, but on the second phase I receive a message

Child SA exchange: Received notification from peer: No proposal chosen MyMethods Phase2: AES-256 + HMAC-SHA2-256, No IPComp, No ESN, Group 14

Please tell me what this means.
Because on my part exactly the same parameters are set.



Thank you!

0 Kudos
2 Replies

The Log message and the screenshot you posted here both shows us the configuration on Check Point side.

You have to compare it with the configuration on Cisco side.

Either ask the Cisco admin on the other side what is configured there or better check it yourself by checking the debug logs.

If you can force the Cisco side to initiate the connection, the debug logs on Check Point side will show you what the ASA is trying to do:

  1. Start debug on Expert Shell: # vpn debug trunc
  2. Let's the Cisco side initiate the tunnel (verify in Check Point Log that they really did try it).
  3. Stop debug on Expert Shell: # vpn debug off; vpn debug ikeoff
  4. Look at $FWDIR/log/ikev2.xmll with IKEView



Like @Tobias_Moritz has already mentioned. This points to the proposal on phase 2 to not be equal on the Check Point side as on the CISCO side.

We know from the logs that Check Point is proposing:
AES-256 + HMAC-SHA2-256, PFS Group 14.

We don't know what the CISCO firewall on the other end has configured for phase 2. There seems to be a mismatch here.

By doing the debug that @Tobias_Moritz suggested you will most likely see whatever the CISCO is trying to use for its phase 2 negotiating and you will most likely see that something is off and you will have to correct it so both sides are on terms when it comes to whatever settings are being used for phase 2.

If you are communicating with whoever is controlling the CISCO firewall you could always ask them for details on what they have configured for phase 2 / IP-sec encryption. Might it be that they are not using PFS? Might they be using different algorithms?

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events