Site-To-Site IPSEC VPN with Preshared Key Fails - No Proposal

I have a total of 11 XG 135's that I have setup a Site-To-Site IPSEC VPN using the 'DefaultHeadOffice' and 'DefaultBranchOffice' profiles. All are functioning as expected except the brand new one I took out of the box this morning (the others have been in place for months).

 

The new device will not connect back to the 'Head Office' XG. During a connection attempt, it posts the following in the VPN log.

__START_______________________

2019-07-23 18:38:04 13[IKE] <RemoteSite_MainSite-1|9> initiating Main Mode IKE_SA RemoteSite_MainSite-1[9] to 123.45.67.89
2019-07-23 18:38:04 13[ENC] <RemoteSite_MainSite-1|9> generating ID_PROT request 0 [ SA V V V V V V ]
2019-07-23 18:38:04 13[NET] <RemoteSite_MainSite-1|9> sending packet: from 192.168.0.3[500] to 123.45.67.89[500] (548 bytes)
2019-07-23 18:38:04 08[NET] <RemoteSite_MainSite-1|9> received packet: from 1123.45.67.89[500] to 192.168.0.3[500] (40 bytes)
2019-07-23 18:38:04 08[ENC] <RemoteSite_MainSite-1|9> parsed INFORMATIONAL_V1 request 3418570794 [ N(NO_PROP) ]
2019-07-23 18:38:04 08[IKE] <RemoteSite_MainSite-1|9> received NO_PROPOSAL_CHOSEN error notify
2019-07-23 18:38:04 08[IKE] <RemoteSite_MainSite-1|9> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
2019-07-23 18:38:04 08[IKE] <RemoteSite_MainSite-1|9> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

___END________________________

 

While attempting to troubleshoot it, I decided to use a different Preshared Key. I saw this in the VPN logs when I attempted to update the info.

__START_______________________

2019-07-23 18:37:58 10[CFG] rereading secrets
2019-07-23 18:37:58 10[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-07-23 18:37:58 10[CFG] expanding file expression '/_conf/ipsec/connections/*.secrets' failed
2019-07-23 18:37:59 19[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-07-23 18:37:59 25[CFG] rereading secrets
2019-07-23 18:37:59 25[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-07-23 18:37:59 25[CFG] expanding file expression '/_conf/ipsec/connections/*.secrets' failed
2019-07-23 18:37:59 31[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-07-23 18:38:01 12[CFG] rereading secrets
2019-07-23 18:38:01 12[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-07-23 18:38:01 12[CFG] loading secrets from '/_conf/ipsec/connections/RemoteSite.secrets'
2019-07-23 18:38:01 12[CFG] loaded IKE secret for 192.168.0.3 mainsite.myfirewall.co
2019-07-23 18:38:01 12[CFG] loaded IKE secret for remotesite.myfirewall.co mainsite.myfirewall.co
2019-07-23 18:38:01 32[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-07-23 18:38:01 09[CFG] received stroke: add connection 'RemoteSite_MainSite-1'
 ___END________________________

 

It appears to me the XG is unable to read the contents of the ipsec.secrets file. Does this make sense at all?

 

The XG is a brand new production device shipped with 17.5.3-MR3, updated to 17.5.7-MR7.

  • OK... so this is bizarre. The 'HeadOffice' XG was rebooted yesterday, have not touched it today except to add the IPSEC Tunnel for the new site. The new device has been rebooted numerous times, went through setup twice. Tried down grading back to the original firmware, and saw the same error. 'RE' downloaded the 17.5.7-MR7 firmware, and reapplied it, and saw the same issue. Tried running the device with a static IP instead of DHCP, and had the same issue. I posted on here, and within an hour, it just suddenly connects and starts working. No reboots, no changes to either side of the tunnel... it just decided to connect.

     

    Soooooo, with that said, I guess we can consider this resolved. I am saving the logs if anyone is interested in performing an autopsy on it.

     

    Thanks,

     

    -Ronnie

  • In reply to Ronald Husbands:

    Hi Ronnie, 

    I'm having some issues with a VPN but I haven't found how to get those debugs you got. Could you please help me with the commands to get it?