Support Center > Search Results > SecureKnowledge Details
IKE fails with message "Traffic Selector Unacceptable" if there are more than 255 Traffic Selectors
Symptoms
  • IKEv2 Phase 1 is successful.
    IKE Phase 2 fails with "Traffic Selector Unacceptable" if there are more than 255 Traffic Selectors, although the proposed IP address is in policy.

  • The issue does not occur in IKEv1.

    In $FWDIR/log/vpnd.elg file expect to see:

    Note: This is an example for policy with 381 Traffic Selectors.

    ikeSimpOrder::getPolicyTSr: rc = 381
    ikeSimpOrder::getPolicyTSr: Policy TSr 0: X.X.X.X 
    ikeSimpOrder::getPolicyTSr: Policy TSr 1: X.X.X.X 
    ... ... ...
    ikeSimpOrder::getPolicyTSr: Policy TSr 380: 224.0.0.0 - 224.0.0.255 
    

    If there are more than 255 Traffic Selectors, then you know there is a problem:

    Exchange::validateGeneralPayload: validating payload TS-r.. 
    TSPayload::Intersect: Entering 
    TSPayload::Intersect_ipv4: checking ts 0: IP_ADDRESS (num ranges: 55) 
    ... ... ...
    TSPayload::Intersect_ipv4: Traffic Selector IP_ADDRESS not matched and removed. Payload Narrowed 
    TSPayload::Intersect_ipv4: Traffic Selector IP_ADDRESS not matched and removed. Payload Narrowed 
    TSPayload::Intersect: All traffic selectors not matched. Intersecting fails
    ikeAuthExchange_r::validateTSPayload: Peer's TS does not match mine.
    
Solution
Note: To view this solution you need to Sign In .