Juniper Netscreen Client unable to compute DH pair and CryptSetKeyParam failed


I have a VPN connection problem with NetScreen-Remote client.
The following Juniper log messages were captured from my client's laptop:

 4-23: 17:44:20.522 My Connections\vpn - Initiating IKE Phase 1 ( (IP ADDR=xx.xx.xx.xx)
 4-23: 17:44:42.814 CryptSetKeyParam failed 80090020
 4-23: 17:44:42.814 Unable to compute DH pair!
 4-23: 17:44:42.814 My Connections\vpn - Unable to initiate protocol
 4-23: 17:44:42.814 My Connections\VPN - Error initiating manual connection.

I want to know what is the meaning of the following and how can I resolve them:
1) CryptSetKeyParam failed?
2) Unable to compute DH pair? (I see that the DH mean Diffie-Hellman but do not know why it were unable to compute).

For your information,
We have our own CA and using for certificate base authenticaion which link to our AD.
Our NetScreen-remote version is 10.8.3 (Build 6) and runs on XP.

Most of our users do not have the problem above and their Juniper client and VPN connection just working perfectly.
If you have the similar problem and able to resolve, I would appreciate if you could share with me.

Thank you.
Who is Participating?
FphcareEnginnerAuthor Commented:
Hi Deimark,

Thank you for your contribution on this post.
We have been found out that "CryptSetKeyParam" is used for generating session keys. Each time VPN user create a new session, new parameter is calculated.
The "unable to compute DH pair and CryptSetKeyParam failed" error is arise because of user certificate errors. Revoked the problem certificate and issue a new one to the user, after that no problem with the VPN connection.

I hope that help.
Thank you.
I would double check all the settings you have at each side, ie on the NS Remote client and on the firewall its connecting to.

Main things to confirm in this case are the DH settings for phase 1

Have a look at, this will give you a bit more info on the ensuring you have it configured correctly and also how to troubleshoot.

Other steps I would do are:

1.  Delete the profile on NS Remote and recreate it
2.  Compare the settings on NS Remote with a working set up
3.  Check Logs on the firewall to see what it says re the DH failure
4.  Uninstall and then re install the NS Remote client
5.  Double check that you are using the latest version of NS Remote and that XP is patched fully.
FphcareEnginnerAuthor Commented:
Thank you for your suggestion.
Just a quick qustion to you that in regards to your suggestion 1, do you mean delete the Network Security Policy under Security Policy Editor?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Apologies for my misuse of terms here, I dont have a machine with NS Remote installed, so cant recall the exact term here, but its the one the defines the security settings for the VPN itself, ie the phase 1 and phase 2 properties, the GW you connect to and any shared secrets, usernames or passwords.

Effectively, the aim is to clear any config you may have put in for the VPN connection without actually uninstalling the app.
FphcareEnginnerAuthor Commented:
Thank you for your clarify, actually our Phase 1 and Phase 2 policy on NetScreen-remote client are locked and it is currently using / installed on all of our VPN users laptops. unfortunately, few users have the same problem, we have tried to uninstall, reinstall the program and policy and end up the same.

I am not sure that if the CA certificate might contribute to the problem as well? It might be as simple as the CA certificate wasn't downloaded to client's PC. I will ask my client to confirm this.  Thank you for your suggestion anyway.
There are useful logs on the client side as well that may shed some light on the issues.

The link I gave does give quite a bit more info as to which roads to look down to resolve the issue, but let us know if you need anything else.
Just saying that there were no close answers to his question is not really suitable here.

If he wants to carry on the investigation then he can have a look at the logs as I suggested as they may shed some more light on the error, however, I suspect he has given up and doesn't need/want any help.

Feel free to close.........
It does indeed help bud.

Thanks for getting back to us
Option 4 please.

Asker answered his own question
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.