Created on
01-22-2023
10:34 PM
Edited on
02-18-2025
06:38 AM
By
Jean-Philippe_P
Description | This article describes how to troubleshoot the message 'no proposal chosen' and 'no SA proposal chosen' when they appear in IKE debug logs. |
Scope | FortiGate. |
Solution |
When logs collected with 'ike -1' contain 'no proposal chosen' for example, it can be due to any of below:
Debug commands:
diagnose debug application ike -1 diagnose debug enable
Caution: Note that the error message 'no proposal chosen' differs from 'no SA proposal chosen'.
The latter ('no SA proposal chosen') is usually due to a mismatch in the phase 1 configuration such as IKE mode (Aggressive/Main) and Encryption/Authentication algorithms. To resolve the issue, make sure the IKE mode and Phase 1 Proposal match on both sides.
Another reason could be to ike version mismatch. Refer to this article. Troubleshooting Tip: How to troubleshoot the message 'ike Negotiate ISAKMP SA Error' in the IKE debu...
Possible causes of 'no proposal chosen':
config vpn ipsec phase1-interface edit "VPN_Tunnel_name" set localid-type address set localid <IP_address of outgoing interface> end
Note: If the name of the Tunnel contains spaces, replace them with a backslash (\). For instance, if the VPN tunnel is named VPN to HUB. When modifying in the CLI:
config vpn ipsec phase1-interface (phase1-interface) # edit VPN\ to\ HUB
config vpn ipsec phase2-interface edit "VPN_Tunnel_name" set pfs disable end
7. Both peers are running ikev2, but there is a mismatch in the encryption and authentication algorithm chosen.
ike 0: comes 192.168.10.11:500->10.10.10.11:500,ifindex=7,vrf=0.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=fa9f847249edb233/0000000000000000 len=36 ike 0: in FA9F847249EDB2330000000000000000292022200000000000000024000000080000000E ike 0:VPN:968190: initiator received SA_INIT response ike 0:VPN:968190: processing notify type NO_PROPOSAL_CHOSEN ike 0:VPN:968190: malformed message ike shrank heap by 159744 bytes ike 0:VPN:968190: negotiation timeout, deleting ike 0:VPN: connection expiring due to phase1 down ike 0:VPN: deleting ike 0:VPN: deleted
In a Hub-Spoke or site-to-site topology if the PFS is enabled on the hub side or remote site, make sure it is enabled on the spoke or local site as well, or it will give this error 'No Proposal Chosen' when doing the IKE debugs on the spoke side.
To verify the proposal below command:
vd: root/0 id/spi: 52 4dc149c62eac4ff4/77a8e531e508a031
No proposal was chosen error on the HUB and spoke setup.
Configuration:
HUB:
config vpn ipsec phase1-interface 9YoSwBsrv9oclF+F3EE8P6+8TnCmS6hY8G7iecX0FEs1ethBALvcCvreDpc/Gsp xffOFUqsyV6nrIP4qZRmG2PuokmHPNtyajAZir8d1RjIbAJQI9iQqyweJT cuPS3miE7QuqrJq7gDVjeS/bU5CAqZDAPUR0AxwnwED/NJ1**bleep**PYE7Q==
Spoke:
edit "COPP-WAN2" set network-overlay enable <---- HYWTZcrPEQUgO8RHx2oY8UJsGWpdWnXTNfO29QgBVk6wJ6TxTIBeRHH+t4sShpmhOBDNbp6qT/ YJgkCKR3k8MCdHOf0zpxehsJjFOaxVRxe7r+newiqabDnqiqWInbdIzJloSUW6FoB0g==
On the SPOKE side, network ID and overlay should be enabled to match with HUB.
Note: This error can occur when one of the sites has DDNS as a 'Remote Gateway' in the IPsec phase1 configuration. This happens when the DDNS Url resolution does not match the actual IP of the remote site and it has nothing to do with phase1 proposals.
2025-01-13 17:15:02.454729 ike V=root:0:6c0b2db8c4305686/0000000000000000:4357875: responder: main mode get 1st message...
In this case, the Wireshark capture will show the proposals correctly. However, the FortiGate 'iked' will ignore the proposal payload due to the value of SPI size. From v7.4.5 onwards, FortiGate requires the SPI size of the IKE SA proposal to be zero. If this value is non-zero, the proposal will be ignored. In Wireshark, the proposal payload will look like this: Payload: Proposal (2) # 1 Workaround: Set up FortiGate as the initiator in IKE negotiations. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.