We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

IPsec Log Messages and Debugging

  • Last updated on

This article provides a list of common issues than can occur and generate error messages in the ike.log file when establishing IPsec VPN tunnels on the Barracuda NG Firewall. 

In this article:

Debugging in Barracuda NG Admin

  1. Open the VPN Settings page (Config > Full ConfigBox > Virtual Serversyour virtual server > Assigned Services > VPN-Service).
  2. Click Lock.
  3. Click the Click here for Server Settings link.
  4. In the Server Settings window, click the Advanced tab.
  5. In the IKE Parameters section, select 10 from the IPSec Log Level list.
  6. Click OK.
  7. Click Send Changes and Activate.

Debugging at the Command Line

At the command line, use the ipsecctrl command to gather debugging information.

Setting the debug level too high may render the unit unresponsive due to high system and disk I/O load.

  • ipsecctrl isakmpd buglevel
  • = Debuglevel 0 - 99, (use  0 to deactivate the debugging mode).

Logfiles

'dropped message' reported in the ike.log
  • dropped message from x.x.x.x port 500 due to the PAYLOAD_MALFORMED notification type
  • dropped message from x.x.x.x port 500 due to the INVALID_PAYLOAD_TYPE notification type
  • dropped message from x.x.x.x port 500 due to the INVALID_COOKIE notification type 

Cause

  • dropped message from x.x.x.x port 500 due to the PAYLOAD_MALFORMED notification type
  • dropped message from x.x.x.x port 500 due to the INVALID_PAYLOAD_TYPE notification type  

These errors indicate that the preshared key does not match on the two VPN peers. As a result, the encrypted fifth main-mode packet is incorrectly decrypted or decrypted with another key. 

  • dropped message from x.x.x.x port 500 due to the INVALID_COOKIE notification type 

This error indicates that the configuration of Phase 1 or Phase 2 does not match between both peers.

'NO KEYSTATE' reported in the ike.log

If you have a "no keystate" error, verify that the preshared key is correct or if the local ID is correct (see the Advanced option). You should have more information in the remote endpoint logs. 

  • 115317 Default (SA Cnx-P1) SEND phase 1 Main Mode [KEY][NONCE]
  • 115319 Default (SA Cnx-P1) RECV phase 1 Main Mode [KEY][NONCE]
  • 115319 Default (SA Cnx-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]
  • 115319 Default ipsec_get_keystate: no keystate in ISAKMP SA 00B57C50
'received remote ID other than expected' reported in the ike.log

If you have a "received remote ID other than expected …" error, the Remote ID value (see Advanced option) does not match what the remote VPN endpoint is expecting. 

  • 120351 Default (SA Cnx-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]
  • 120351 Default (SA Cnx-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY]
  • 120351 Default ike_phase_1_recv_ID: received remote ID other than expected support@thegreenbow.fr
'NO PROPOSAL CHOSEN' reported in the ike.log

If you have a "NO PROPOSAL CHOSEN" error (hereafter), verify that the Phase 2 algorithms are the same on each side of the IPsec VPN tunnel. 

  • 115915 Default (SA Cnx-Cnx-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE]
  • 115915 Default RECV Informational [HASH][NOTIFY] with NO_PROPOSAL_CHOSEN error
  • 115915 Default RECV Informational [HASH][DEL]
  • 115915 Default Cnx-P1 deleted 

If you have a "NO PROPOSAL CHOSEN" error (hereafter), verify that the Phase 1 algorithms are the same on each side of the IPsec VPN tunnel. 

  • 115905 Default sysdep_app_open: Init Connection for : Cnx-Cnx-P2 Cnx-remoteaddr
  • 115905 Default sysdep_app_open: IPV4_SUBNET Network 192.168.1.1
  • 115905 Default sysdep_app_open: IPV4_SUBNET Netmask 255.255.255.0
  • 115911 Default (SA Cnx-P1) SEND phase 1 Main Mode [SA][VID]
'INVALID ID INFORMATION' reported in the ike.log

If you have an "INVALID ID INFORMATION" error, verify that the Phase 2 ID (local address and network address) is correct and matches what is expected by the remote VPN endpoint. Also verify the ID type. If Network Mask is not checked, you are using an IPV4_ADDR type (and not a IPV4_SUBNET type). 

  • 122626 Default (SA Cnx-Cnx-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE]
  • 122626 Default RECV Informational [HASH][NOTIFY] with INVALID_ID_INFORMATION error
  • 122626 Default RECV Informational [HASH][DEL]
  • 122626 Default Cnx-P1 deleted

Perfect Forward Secrecy (PFS)

The Barracuda NG Firewall supports Perfect Forward Secrecy (PFS) for tunnel establishment. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. PFS is activated by default. If a third-party IPsec gateway tries to establish a tunnel without using PFS, errors like the following ones are generated on the Barracuda NG Firewall gateway and written to the ike.log (at the VPN service logfiles): 

  • Notice dropped message from 194.39.131.169 port 500 due to notification type INVALID_PAYLOAD_TYPE
  • Notice message_parse_payloads: reserved field non-zero: 18
  • Notice dropped message from 194.39.131.169 port 500 due to notification type PAYLOAD_MALFORMED
  • Notice message_parse_payloads: reserved field non-zero: 20
  • Notice dropped message from 194.39.131.169 port 500 due to notification type PAYLOAD_MALFORMED 

Usage of PFS must be activated or deactivated on both gateways. Activate PFS in the Phase 2 section of the IPsec Tunnel configuration window through the DH-Group setting. To deactivate PFS, set the value of the Phase 2 DH-Group to none.

Main keys should only be used with great care, as they will require further authentications. This can lead to additional administration effort for the domain controllers in the network. The main key does not have to be active on both gateways.

Last updated on