The following lists Phase 2 Policy Not Matching Error logs.
NSX Edge
NSX Edge hangs at STATE_QUICK_I1. A log message shows that the peer sent a NO_PROPOSAL_CHOSEN message.
000 #2: "s1-c1":500 STATE_QUICK_I1 (sent QI1, expecting
QR1); EVENT_RETRANSMIT in 11s; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
Aug 26 12:33:54 weiqing-desktop ipsec[6933]: | got payload
0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
Aug 26 12:33:54 weiqing-desktop ipsec[6933]: | ***parse
ISAKMP Notification Payload:
Aug 26 12:33:54 weiqing-desktop ipsec[6933]: | next payload
type: ISAKMP_NEXT_NONE
Aug 26 12:33:54 weiqing-desktop ipsec[6933]: | length: 32
Aug 26 12:33:54 weiqing-desktop ipsec[6933]:
| DOI: ISAKMP_DOI_IPSEC
Aug 26 12:33:54 weiqing-desktop ipsec[6933]: | protocol ID: 3
Aug 26 12:33:54 weiqing-desktop ipsec[6933]: | SPI size: 16
Aug 26 12:33:54 weiqing-desktop ipsec[6933]: | Notify Message
Type: NO_PROPOSAL_CHOSEN
Aug 26 12:33:54 weiqing-desktop ipsec[6933]: "s1-c1" #3:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
msgid=00000000
Cisco
Debug message show that Phase 1 is completed, but Phase 2 failed because of policy negotiation failure.
Aug 26 16:03:49 [IKEv1]: Group = 10.20.129.80,
IP = 10.20.129.80, PHASE 1 COMPLETED
Aug 26 16:03:49 [IKEv1]: IP = 10.20.129.80, Keep-alive type
for this connection: DPD
Aug 26 16:03:49 [IKEv1 DEBUG]: Group = 10.20.129.80,
IP = 10.20.129.80, Starting P1 rekey timer: 21600 seconds
Aug 26 16:03:49 [IKEv1]: IP = 10.20.129.80, IKE_DECODE RECEIVED
Message (msgid=b2cdcb13) with payloads : HDR + HASH (8)
+ SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0)
total length : 288
.
.
.
Aug 26 16:03:49 [IKEv1]: Group = 10.20.129.80, IP = 10.20.129.80,
Session is being torn down. Reason: Phase 2 Mismatch
