Support Center > Search Results > SecureKnowledge Details
Site to Site using IKEv2 fails with "None of the traffic selectors match the conection" Technical Level
Symptoms
  • VPND debug shows:
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] TSPayload::Intersect: TS narrowed to non-universal
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] TSValidator::validateGeneralTS: narrow: 1
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] TSPayload::getContainingTS_ipv6: looking for a ts that contains
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] constructRelevantIPRanges_ipv6: proto: 0, port range: All Ports
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] constructRelevantIPRanges_ipv6: proto: 0, port range: All Ports
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] TSPayload::getContainingTS_ipv6: Try specific protocol/port (0/0) num_range: 0. addresses in ranges: ::
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] TSPayload::getContainingTS_ipv6: Returning empty TS. For proto 0
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] TSValidator::validate: None of the traffic selectors match the conection
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] Exchange::processPayloads: problem processing payload no. 5 of type TS-r payload
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] Exchange::processPayloads: processPayloads returning initial status
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] ikeAuthExchange_r::postValiadatePayloads: enter with res = -1
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] Exchange::setStatus: Changing status from: initial to: failure (final)..
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] responderExchange::completeFailedExchange: entering.
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] responderExchange::completeFailedExchange: Exchange has failed and there is no concrete notification. sending Invalid Syntax.
    [vpnd 6052 4102428560]@gw1[25 Jun 19:48:46][ikev2] NotifyPayload::NotifyPayload: NULL notify data passed
  • Ikev2.xmll shows: Response "Invalid syntax"
  • SmartView Tracker shows IKE failed with error " Information exchange:Exchange failed:timeout reached."
Cause

Peer proposes with "Universal Range". Check Point responds with "Invalid syntax".

Mismatch of traffic selectors.

The Check Point side is configured as "one tunnel per subnet pair", while peer is configured as "one tunnel per gateway pair".


Solution
Note: To view this solution you need to Sign In .