We have a site to site VPN connection to a branch office. Once in a while the connection drops for some reason and then we receive an error like this on the Fortigate 310b
ike Negotiate ISAKMP SA Error: ike 3:20b27f143b809b23/0000000000000000:0: no SA proposal chosen
It is a struggle to re-establish the connection, and I only manage it through trial and error. My question now is, how can I debug this further? I'm aware of the CLI command
diag debug application ike -1
diag debug enable
This gives me the above mentioned error, but this error seems to be thrown for a number of reasons, and I can't figure out for which one exactly. We already lost a lot of time with those problems, and I need to learn to debug and troubleshoot those issues to the core, otherwise I'm lost.
Any help greatly appreciated.
Best Answer
no SA proposal chosen means that the security association doesn't match on both sides. Maybe a keylife time in one side is 86400 and in the other side is 86400.
You should post IKE phase 1 and phase2 from each fortigate.
Sometimes, in the config both sides have same values, but the error is the same and that's because some IPSec Cookie doesn't flush correctly. In my experience, a good way to resolve this is create the tunnel again.
Hope it helps!