Common VPN error messages and their meanings
|Article:TECH80433|||||Created: 2002-01-02|||||Updated: 2006-01-06|||||Article URL http://www.symantec.com/docs/TECH80433|
Your VPN is configured but negotiation fails. Your logs may show error messages.
A brief explanation of common errors for VPN follows.
Note: For the purposes of this document, Client ID, Username, and Phase 1 ID are interchangeable.
3382: Failed to find secure tunnel for entity based on Proxy ID
There is a misconfiguration in the entities in your security association. Verify that each entity and security gateway have the correct address and netmask.
3384: Payload incorrectly formed
When this message is logged, a mismatch in the shared secret and possibly the client id pair exist. If the VPN tunnel is client-to-site, check the Client IDs (User names) and shared secrets (passwords) to ensure that they match. Also check if there is a gateway phase 1 ID (also called "distinguished name"). If the VPN tunnel is site-to-site, check the Phase 1 IDs and Shared Secrets. These are all case sensitive. If the case is not consistent on both gateways, this error is logged.
3386: Proposal not chosen
This is probably a misconfiguration in the global_ike_policy. You typically have only one Global IKE policy, which specifies what you accept in IKE negotiation. Ensure that all of your connections conform to your global_ike_policy. This message can also indicate that one of the security gateways is configured to use aggressive mode and the other is configured for main mode.
Article URL http://www.symantec.com/docs/TECH80433