Cisco ASA site to site tunnel error message
One of the things that I think Cisco does a very poor job with is explaining error messages on the ASA platform when you are trying to connect a site-to-site tunnel. I am not sure why it has to be so difficult to explain simple misconfigurations. For example, here is an error message from a recent site-to-site tunnel I was building between a Cisco ASA 5520 and a Juniper firewall on the other end:
Received non-routine Notify message: No proposal chosen (14)
Obviously there is something wrong with the IPSEC proposal, but what? Would it be too difficult to say exactly what did not match?
It turned out that this message indicated a problem with perfect-forward secrecy being enabled on one side of the tunnel but not the other. This took some googling and scratching my head in order to figure something out that should have been quite simple. I did not have access to the other device to double check settings so I had to guess as to the problem. Not exactly what I would call the "self-healing" network.
Received non-routine Notify message: No proposal chosen (14)
Obviously there is something wrong with the IPSEC proposal, but what? Would it be too difficult to say exactly what did not match?
It turned out that this message indicated a problem with perfect-forward secrecy being enabled on one side of the tunnel but not the other. This took some googling and scratching my head in order to figure something out that should have been quite simple. I did not have access to the other device to double check settings so I had to guess as to the problem. Not exactly what I would call the "self-healing" network.
posted by Rick Mitchell Solutions @ 3:53 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
Links to this post:
Create a Link
<< Home