Resolving incidents - Common errors

Further on in this section, the firewall that protects clients (which initiated the setup of tunnels) will be referred to as the initiator. The remote firewall will be referred to as the responder.

 

Symptom: The tunnel cannot be set up.

  • A message "Remote seems to be dead" in phase 1 appears in the Logs > VPN module in SN Real-Time Monitor for the "initiator".
  • No message appears in the Logs > VPN module in SN Real-Time Monitor for the "responder".

Solutions: check that:

  • the physical interfaces on which the corresponding WAN link relies are indeed available,
  • the virtual IPSec interfaces that define the tunnel have been enabled,
  • the filter rule matching the traffic that needs to go through this tunnel has been correctly defined and that the router used in this rule is relying on the right virtual interfaces.

 

Symptom: The tunnel cannot be set up.

  • A message "IKE SA establishment failed: received AUTHENTICATION_FAILED notify error" in phase 1 appears in the Logs > VPN module in SN Real-Time Monitor for the initiator.
  • A message "Tried 1 shared key but MAC mismatched" in phase 1 appears in the Logs > VPN module in SN Real-Time Monitor for the responder.

Solution: the pre-shared key (peer settings) is different on the initiator and responder firewalls.

 

Symptom: The tunnel cannot be set up.

  • A message "Invalid major version X" appears in the Logs > VPN module in SN Real-Time Monitor for the initiator.
  • A message "Invalid major version Y" appears in the Logs > VPN module in SN Real-Time Monitor for the responder.

Solution: the version of the IKE protocol (peer settings) is different on the initiator and responder firewalls.