Applies to: Seclore Cloud VPN
Are you facing issues with your AWS tunnel? Here are some common errors you might encounter and simple solutions to get things back on track.
List of errors:
AWS tunnel received DELETE for Phase 2 SA with SPI: xxxx
AWS tunnel received DELETE for IKE_SA from CGW
AWS tunnel detected a (CHILD_REKEY) collision as CHILD_DELETE
AWS tunnel (CHILD_SA) redundant SA is being deleted due to detected collision
No Proposal Match Found by AWS
No Proposal Match Found. Notifying with "No proposal chosen"
AWS tunnel Phase 2 was unable to establish while keeping Phase 1
AWS: Traffic Selector: TS_UNACCEPTABLE: received from responder
AWS tunnel is sending AUTHENTICATION_FAILED as the response
AWS tunnel Timeout: deleting un-established Phase 1 IKE_SA with cgw: xxxx
No Proposal Match Found. Notifying with "No proposal chosen"
No Proposal Match Found by AWS
Solution:
- Ensure the Phase 1 and Phase 2 lifetimes are identical.
- Check if there is no traffic inside the tunnel and if the key's lifetime has expired.
Verify if any configuration changes have been made related to the VPN tunnel.
Ensure the Phase 1 and Phase 2 parameters or attributes are similar at both ends of the gateway.
If you've modified the traffic selector/domain encryption or changed IPsec parameters, your Customer Gateway device might send a CHILD_SA deletion request to AWS, which can tear down the VPN tunnels. In this case, review the configurations and consider reaching out to your device’s TAC team if needed.
Another possible issue could be an incorrect proposal. For policy-based routing, AWS supports a single SA for inbound and outbound traffic. To resolve this, ensure the traffic selector/encryption domain is configured with identical and correct CIDRs.
Check the stability of your ISP link. A stable connection is crucial for a functioning AWS tunnel.
Other similar issues.
Peer is not responsive - Declaring peer dead (DPD issue)
Trouble Logging into PS Despite Working VPN
AWS tunnel detected a pre-shared key mismatch with cgw: xxxx
Need more help?
Contact Seclore Support