Issue:
Juniper firewall establishment*** unsuccessful: Phase1:Retransmission
Error:
The establishment of Juniper firewall ××× is unsuccessful: Phase1: Retransmission Juniper firewall establishment ××× is unsuccessful, and the following message appears in the log: Phase 1: Retransmission limit has been reached. The following is the relevant information from the Juniper database. According to the data, it seems that the method in Juniper database has not completely solved the problem, but you can refer to the troubleshooting ideas of Juniper firewall
Full Case:
Juniper firewall establishment ××× unsuccessful: Phase1: Retransmission
The establishment of Juniper firewall is unsuccessful, and the following message appears in the log: Phase 1: Retransmission limit has been reached.
The following is the relevant information found in the Juniper database. According to the Juniper database, it seems that the problem has not been completely solved, but you can refer to the troubleshooting ideas of Juniper firewall.
Synopsis:
××× won't come up; It is failing in Phase 1, with Retransmission limit has been reached reported in the event log.
×××Unable to establish connection, "Phase 1, with Retransmission limit has been reached" appears in the log
Problem:
The ××× tunnel does not come up. It is failing in Phase 1, with'Phase 1: Retransmission limit has been reached' reported in the Event log.
Because the Phase 1 handshake could not be completed, the ××× tunnel could not be established.
Assumptions:
You are on the responder firewall, and there are no Phase 2 errors in the Event log.
You are on the responder firewall, and the only Phase 1 message in the event log is'Retransmission limit has been reached'. If you have other Phase 1 errors, please refer to KB9238-How to Analyze IKE Phase 1 Messages in the Event Logs.
You are on the initiator firewall, and there are no messages in the event log on the responder.
Note: It is always better to troubleshoot ×× × connection problems by reviewing the messages in the responder side first.
Terminology:
The responder is the receiver side of the ××× that is being pinged, receiving tunnel setup requests, or receiving the tunneled traffic.
The initiator is the side of the ××× that the ping or traffic is generated.
Solution: Solution
Use the following steps to determine what to do when you receive phase 1: Retransmission limit has been reached' messages in the Event log.
From the firewall, can you ping the IP address of the Remote ××× Gateway OR any host on the Internet? Can you ping the remote Internet ip?
Yes-Continue with Step 2
No-Verify that a default route is configured on the firewall. If so, can you ping the firewall's default gateway? If you cannot ping the firewall's default gateway, check connectivity between the firewall and the default gateway router. Check the local route, whether you can ping the gateway, if not, please check the network connection.
2. Is the Preshared Key specified in the IKE gateway configuration the same on both the initiator and the responder? Is the "Preshared Key" of both devices the same
Yes-Continue with Step 3
No-In the IKE gateway configuration, reenter the Preshared Key on both the initiator and the responder and then attempt to bring up the ××× again. If not the same, reconfigure both sides "Preshared Key"
3. Does the IP address specified in the IKE gateway configuration match the public IP address of the Remote Gateway? Is the remote ip address correct?
Yes -Continue with Step 4
No-In the IKE gateway configuration, specify the correct IP address for the Remote Gateway and then attempt to bring up the ××× again.
4 Does the IKE gateway's outgoing interface match the route to the destination? Is the egress interface selected correctly?
Yes-Continue with Step 5
No-Correct the IKE gateway's outgoing interface. Unfortunately, you cannot change the IKE Gateway's outgoing interface. You need to create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that points to this new IKE Gateway. If the wrong IKE export interface is selected, it cannot be modified. A new IKE Gateway needs to be created
5. Are there any routers or firewalls in the path that are blocking IPSec (IP protocol 50 or UDP port 500 (if using NAT-Traversal))? Are there other routers or firewalls blocking the network connection, such as tcp-50 and udp -500 port is not open
Yes-Work with the admin of that firewall or router to allow IPSec through for the IP address of your firewall and the Remote IP gateway.
No-Continue with Step 6
6. If the above steps do not help you resolve phase 1: Retransmission Limit has been reached' messages, collect the Site-to-Site logs for both sides of the tunnel and open a case with JTAC-Juniper Technical Assistance Center. See KB9229-How collect logs and open a case for a problem with a Site-to-Site ×××. If the problem still cannot be solved, check Juniper's other information.
The ××× on the customer’s side is configured by me. The configuration is correct, but occasionally the ××× connection is unsuccessful, and the log “Phase 1: Retransmission limit has been reached.” appears in the log. The reason should be The third item mentioned above, the IP address is incorrect, because the customer has only one fixed IP, and one section uses ADSL dial-up. After the ADSL line is disconnected and reconnected, the IP address changes and the original ××× tunnel is still recorded It is the IP address before disconnection, so there will be a situation where ××× cannot be established. After waiting for a period of time, it should be normal. This should be regarded as a deficiency of dynamic IP ×××.
Quick solution:
If you just wait for ××× to automatically reconnect, it will probably take a long time. If it is broken, it will take more than ten minutes, and it will not be better if it is half an hour. In actual operation, I found an easy way to make ××× fast To re-establish the connection is to disable the strategy used by the ××× in the policy, and then re-enable it, initiate the ××× connection from the dynamic ip side, and the problem is solved.
Sources: huaweicloud.com
