Answer-first summary for fast verification
Answer: Compare and review the Phase 2 settings on the on-premises firewall. Make sure the settings match one of the supported cipher suites for HA VPN.
The error message 'received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built' indicates a mismatch in the Phase 2 (IPsec) settings between the Google Cloud VPN and the on-premises firewall. This phase is crucial for establishing the secure tunnel as it negotiates the encryption algorithms and other parameters for the VPN connection. The correct action is to ensure that the Phase 2 settings on the on-premises firewall match one of the supported cipher suites for HA VPN on Google Cloud. This is why option B is the correct answer. Options A, C, and D do not address the specific issue indicated by the error message. A deals with BGP configuration, which is unrelated to the Phase 2 negotiation failure. C suggests a geographical solution, which does not resolve configuration mismatches. D refers to Phase 1 settings, but the error is specifically about Phase 2.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are setting up a high-availability VPN to your on-premises network, but the VPN connection fails to establish. You have full administrative access to both the Google Cloud networking environment and the on-premises firewalls serving as VPN devices. The Google Cloud console displays "Negotiation failure" and "BGP is down." Upon checking Cloud Logging with the query resource.type="vpn_gateway" and resource.labels.gateway_id="TUNNEL_ID_NUMBER", you observe frequent log entries in Logs Explorer:
logName: …/logs/cloud.googleapis.com%2Fipsec_events
type: "vpn_gateway"
textPayload: "received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built"
logName: …/logs/cloud.googleapis.com%2Fipsec_events
type: "vpn_gateway"
textPayload: "received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built"
How should you troubleshoot the VPN failure and resolve the issue based on these Cloud Logging entries?
A
Update the Google Cloud BGP session configuration to match the BGP peer ASN on the on-premises side.
B
Compare and review the Phase 2 settings on the on-premises firewall. Make sure the settings match one of the supported cipher suites for HA VPN.
C
Create a new Cloud VPN gateway in a region closer to the peer VPN gateway.
D
Compare the Phase 1 settings and recreate the Cloud VPN tunnel by choosing a different IKE version and pre-shared key.
No comments yet.