Common VPN error messages and their meanings

Article:TECH80433  |  Created: 2002-01-02  |  Updated: 2006-01-06  |  Article URL
Article Type
Technical Solution


Your VPN is configured but negotiation fails. Your logs may show error messages.


A brief explanation of common errors for VPN follows.

Note: For the purposes of this document, Client ID, Username, and Phase 1 ID are interchangeable.

3382: Failed to find secure tunnel for entity based on Proxy ID
There is a misconfiguration in the entities in your security association. Verify that each entity and security gateway have the correct address and netmask.

3384: Payload incorrectly formed
When this message is logged, a mismatch in the shared secret and possibly the client id pair exist. If the VPN tunnel is client-to-site, check the Client IDs (User names) and shared secrets (passwords) to ensure that they match. Also check if there is a gateway phase 1 ID (also called "distinguished name"). If the VPN tunnel is site-to-site, check the Phase 1 IDs and Shared Secrets. These are all case sensitive. If the case is not consistent on both gateways, this error is logged.

3386: Proposal not chosen
This is probably a misconfiguration in the global_ike_policy. You typically have only one Global IKE policy, which specifies what you accept in IKE negotiation. Ensure that all of your connections conform to your global_ike_policy. This message can also indicate that one of the security gateways is configured to use aggressive mode and the other is configured for main mode.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices