Valid IPSec SA not found for SPSAItem. Initiate new tunnel negotiation
Hi,
I've been stuck on this issue for a few weeks now. I do have a case open with support but I'm waiting for an arranged call with them. In the mean time i'm under a bit of pressure to get this resolved. I've attempted both BOVPN's and ViP and on bot occasions I just receive the errors:
2024-05-16 15:58:37 iked (xx.xx.xx.xx<->xx.xx.xx.xx)IKEv2 CREATE_CHILD_SA exchange from xx.xx.xx.xx to xx.xx.xx.xx failed. Tunnel=''. Reason=Received N(TS_UNACCEPTABLE) message. msg_id="021A-0016" Debug
I've been through all the phase 2 setting with a fine toothcomb multiple times and I've also asked the engineer on the end to create a second test VPN so we can test different settings to see if it's compatibility issue but nothing appears to be working. The remote firewall is a Cisco which I don't manage so i cannot access.
I turned on Debug logging and the only issue i can see is this:
2024-05-14 15:58:57 iked (xx.xx.xx.xx<->xx.xx.xx.xx)Valid IPSec SA not found for SPSAItem. Initiate new tunnel negotiation.
Can anyone offer any advice. As I say, I've been over the settings multiple times and I just can't figure out what it doesn't like.
Comments
From the Log Message Guide for 021A-0016:
AUTH negotiation failed because peer sent a notification error message.
Looks like TS = traffic selector
Perhaps this Cisco bug???
Cisco Bug: CSCue42170
https://quickview.cloudapps.cisco.com/quickview/bug/CSCue42170
Justin are you using IKEv1 or IKEv2?
if IKEv2, try changing to IKEv1....
is the WG the initiator?
what happens when the Cisco tries to initiator the vpn connection?