Troubleshoot IPSec Tunnel issues with Error Codes
When setting up an IPsec tunnel between Skyhigh SSE and third-party devices, you may encounter connectivity issues that may arise for various reasons. To help troubleshoot these issues, you can refer to the specific IPsec error codes. Comparing attributes allows you to troubleshoot the issues and re-establish the tunnel.
To view any errors that may have been encountered and suggested troubleshooting steps:
- Navigate to Analytics > Connectivity.
- On the Connectivity page, locate error code.
- Under the Actions section, click the three dots, then select View Error Log.
- The Error Log page will appear, displaying the error code, error message, and timestamp. For more details, see View Connectivity Status.
- Click the Error Log Troubleshooting Steps hyperlink to access the troubleshooting topic.
The section below details three IPsec error codes and their corresponding troubleshooting steps.
- Pre-shared key Mismatch
- Subnet Mismatch
- Child Proposal Mismatch
PRE-SHARED_KEY_MISMATCH
The Pre-shared Key (PSK) on the 3rd party IPSec VPN enabled device does not match the PSK used by Skyhigh SSE.
Troubleshooting Steps:
- Compare: Check the PSK on the 3rd party IPSec enabled devices's VPN settings & compare it against the PSK used in Skyhigh SSE configuration.
- Verify: Make sure both PSKs match exactly, including case sensitivity, and ensure there are no extra spaces.
- Correct: If the PSKs are different, update the PSK to match at both the locations (Skyhigh SSE UI & 3rd party IPSec VPN enabled device)
- Reconnect: Try to re-establish the VPN connection.
SUBNET_MISMATCH
The Phase 2 subnet configuration on the 3rd party IPSec VPN enabled device does not match the allowed subnets configured in Skyhigh SSE UI.
Troubleshooting Steps:
- Review: Check the allowed internal subnets (IPv4, any subnet CIDR-0 bits) in the Skyhigh SSE UI.
- Compare: Compare these subnets to the Phase 2 subnet configuration on the end IPSec VPN enabled device.
- Align: Make sure your device's Phase 2 subnets are either within or identical to the allowed subnets configured in the Skyhigh SSE UI.
- Update: If necessary, adjust the subnet configuration to match on both Skyhigh SSE UI & the 3rd party IPSec VPN device.
- Reconnect: Try to re-establish the VPN connection.
CHILD_PROPOSAL_MISMATCH
The Phase 2 (Child SA) security proposals on the 3rd party IPSec VPN enabled device do not match the phase 2 requirements configured in Skyhigh SSE UI.
Troubleshooting Steps:
- Inspect: Review the Phase 2 (Child SA) security proposals, including encryption, authentication, and Perfect Forward Secrecy (PFS), in both the IPsec VPN enabled device's settings and the Skyhigh SSE configuration.
- Verify: Make sure that all Phase 2 security proposals are identical between your end IPSec VPN enabled device and Skyhigh SSE.
- Correct: If there are any discrepancies, update the Phase 2 settings to match the configuration in Skyhigh SSE and the IPSec VPN enabled device configuration.
- Reconnect: Try to re-establish the VPN connection.