After upgrading to version 7.6.5, customers with IPsec tunnels may experience issues with establishing these tunnels.

Before the upgrade, everything was running smoothly, and after the upgrade to v7.6.5, the tunnels are completely down and will not come up.

When running the IKE debug on one of the impacted tunnels, and if the following error message is seen:

2025-12-15 17:11:09.447240 ike V=root: Negotiate ISAKMP SA Error:
2025-12-15 17:11:09.447285 ike V=root:0:XXXXXXXXXXXXX/0000000000000000:142: no SA proposal chosen

In this case, check the DH group values under the phase1 and phase2 configurations and ensure they match.
v7.6.5 pushes other default values for DH group, starting from v7.6.5, choosing more secure attributes.

Default values of 14 and 5 become 14, 20, and 21 after the upgrade.
When configured via CLI, default values will change from 14 and 5 to 20 and 21.
After configuring the same DH groups on both sides, the tunnels should resume connectivity.

The release notes for v7.6.5 can also be checked for more information:
Changes in the CLI.

Note: 

• The message 'no SA proposal chosen' indicates a mismatch in the IKE proposals during VPN negotiation, often caused by configuration discrepancies.
• To troubleshoot, verify that both VPN peers have identical Phase 1 and Phase 2 proposal settings, including encryption, hash algorithms, and DH groups.

diagnose vpn ike log filter rem-addr4 <Remote_Peer_IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

• Review detailed logs on both devices to identify differences in the proposals sent and received.
• Additionally, capturing the IKE negotiation packets with Wireshark can provide insight into the specific proposals exchanged and help pinpoint where the mismatch occurs, facilitating precise adjustments to align the configurations.

diagnose sniffer packet any "host <Destination_IP> and port (500 or 4500)" 4 0 l