ELS Messages for IPSec Protocol (ISEC)
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.001 No ipsec_prot
SA for pkt (SPI source_ip_address
) dest_ip_addr
-> spi
: disc nt Network ID
- Long Syntax:
- ISEC.001 No ipsec_prot
security assoc admitting packet (SPI source_ip_address
) dest_ip_addr
-> spi
: discarding, net Network ID
- Description:
- A locally-addressed IPsec datagram failed to map to an existing
security association (SA) on this interface of the router.
- Cause:
- A friendly peer is sending IPsec packets for which this interface
has not yet been configured.
- Action:
- Configure the interface for the new IPsec peer.
- Cause:
- A denial-of-service attack is underway.
- Action:
- Identify and stop the attacker.
- Cause:
- A single corrupt packet has been received.
- Action:
- Correct network error, if any.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.002 Disc ipsec_prot
/ auth_alg
pkt source_ip_address
-> dest_ip_address
: auth sig failed, nt Network ID
- Long Syntax:
- ISEC.002 Discarding ipsec_prot
/ auth_alg
packet source_ip_address
-> dest_ip_address
: authentication signature failed, net Network ID
- Description:
- Recalculation of the the ICV (Integrity Check Value)/
MAC (Message Authentication Code) failed for a locally-destined
inbound IPsec datagram encapsulated in AH or auth-mode ESP.
- Cause:
- A signed packet was modified in transit prior to arrival.
- Action:
- May be ignored if modification was due to rare network corruption.
- Cause:
- A denial-of-service attack is underway.
- Action:
- Identify and stop the attacker.
- Cause:
- The remote or local SA lifetime has become out-of-sync with respect
to its peer.
- Action:
- Bring the remote and local SA lifetime configuration back into sync.
- Level:
- UE-ERROR
- Short Syntax:
- ISEC.003 Disc IPComp/ ipcomp_alg
pkt source_ip_address
-> dest_ip_address
: decomp failed, nt Network ID
- Long Syntax:
- ISEC.003 Discarding IPComp/ ipcomp_alg
packet source_ip_address
-> dest_ip_address
: decompression failed, net Network ID
- Description:
- This message is displayed when IPComp decompresses a packet
and the decompression operation fails to complete successfully.
- Cause:
- A compressed IPComp packet failed to decompress correctly.
- Action:
- May be ignored if modification was due to rare network corruption.
- Level:
- C-INFO
- Short Syntax:
- ISEC.004 Drop src_addr
-> dest_addr
, recent IKE fail= ike_fail_reason
on pol= profile_name
. policy_name
nt Network ID
- Long Syntax:
- ISEC.004 Drop src_addr
-> dest_addr
, recent IKE fail= ike_fail_reason
on policy= profile_name
. policy_name
, net Network ID
- Description:
- An outbound packet is being dropped.
IKE has recently failed to negotiate this policy and is currently
waiting a reasonable amount of time before trying the IKE
negotiation again.
- Level:
- UE-ERROR
- Short Syntax:
- ISEC.005 Disc ipsec_proto
pkt source_ip_address
-> dest_ip_address
: proto doesn't match bundle pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.005 Discarding ipsec_proto
packet source_ip_address
-> dest_ip_address
: IPSec protocol header doesn't match bundle policy profile_name
. policy_name
, net Network ID
- Description:
- This message is displayed when a layer of IPSec encapsulation
(protocol header) fails to match the type or order of protection
specified for the SA bundle upon which it was received.
- Cause:
- The local manual IPSec configuration is out-of-sync with that of
the manual IPSec peer for this SA bundle.
- Action:
- Determine the difference between the remote and local manual IPSec
bundle configurations and configure one end to match the other.
- Cause:
- The transmitting IPSec/IKE peer isn't applying the negotiated
order of encapsulation to packets being transmitted on this SA bundle.
- Action:
- Report the peer IPSec device type to OpenROUTE tech support.
- Level:
- UE-ERROR
- Short Syntax:
- ISEC.006 Disc ipsec_proto
pkt source_ip_address
-> dest_ip_address
: SA doesn't match bundle pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.006 Discarding ipsec_proto
packet source_ip_address
-> dest_ip_address
: matching SA doesn't match bundle policy profile_name
. policy_name
, net Network ID
- Description:
- This message is displayed when an incoming IPSec protocol header
maps to a valid local security association (SA), but that SA
isn't the next SA specified in the SA bundle. This indicates an
SA ordering (config) problem, either at the local or remote end.
- Cause:
- The local manual IPSec configuration is out-of-sync with that of
the sending manual IPSec peer for this SA bundle.
- Action:
- Determine the difference between the remote and local manual IPSec
bundle configurations and configure one end to match the other.
- Cause:
- The transmitting IPSec/IKE peer isn't applying the negotiated
order of encapsulation to packets being transmitted on this SA bundle.
- Action:
- Report the peer IPSec device type to OpenROUTE tech support.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.007 Inb SPD allowed source_ip_address
-> destination_ip_address
- Long Syntax:
- ISEC.007 Inbound SPD allowed forwarding of packet source_ip_address
-> destination_ip_address
- Description:
- This message is generated for each inbound packet forwarded by
IPSec, after having been accepted through the inbound Security
Policy Database (SPD).
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.008 Disc ipsec_prot
/ encr_alg
pkt source_ip_address
-> dest_ip_address
: padLen > SA blkSz, nt Network ID
- Long Syntax:
- ISEC.008 Discarded ipsec_prot
/ encr_alg
packet source_ip_address
-> dest_ip_address
: pad length > SA blockSize, net Network ID
- Description:
- The IPSec ESP encryption protocol cannot anticipate the correct
contents of a decrypted packet payload. If following decryption,
however, the packet's pad length exceeds the size of the encryption
algorithm's block size (eight bytes is a common block size), then
ESP knows that the packet has been corrupted, either due to network
error or by the action of a hostile party on the network, and issues
this warning message.
- Cause:
- A decrypted packet's pad length exceeds the encryption's block size.
- Action:
- May be ignored if modification was due to rare network corruption.
- Cause:
- The sender or receiver's SA encryption key is incorrect.
- Action:
- Fix the encryption key in the out-of-sync peer's SA.
- Cause:
- A denial-of-service attack is underway.
- Action:
- Identify and stop the attacker.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.009 Receiving proto protocol
source_ip_address
-> destination_ip_address
- Long Syntax:
- ISEC.009 IPSec receiving protocol protocol
source_ip_address
-> destination_ip_address
- Description:
- This message is generated for each packet received by IPSec.
- Level:
- UE-ERROR
- Short Syntax:
- ISEC.010 Disc pkt_proto
pkt source_ip_address
-> dest_ip_address
: num SAs disagrees w/bundle pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.010 Discarding pkt_proto
packet source_ip_address
-> dest_ip_address
: num SAs disagrees w/bundle policy profile_name
. policy_name
, net Network ID
- Description:
- This message is displayed when IPSec is decapsulating the IPSec
headers which protect a packet, reaches the first non-IPSec
header, and the number of SAs processed doesn't match the
number of SAs specified in the bundle spec.
- Cause:
- The sending IPSec peer is applying too many or too few IPSec SAs
to the traffic defined for the SA bundle.
- Action:
- Align the SA processing on the remote side with that on the local
side, or vice versa.
- Level:
- UE-ERROR
- Short Syntax:
- ISEC.011 Disc pkt_proto
pkt source_ip_address
-> dest_ip_address
: SA-prot pkt fails policy reqs pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.011 Discarding pkt_proto
packet source_ip_address
-> dest_ip_address
: SA-protected packet fails policy requirements policy profile_name
. policy_name
, net Network ID
- Description:
- This message is displayed when an IPSec packet which passes
through all of the SAs in a bundle is discarded for violating
the bundle's (or policy's) selector (payload type) requirements.
- Cause:
- The sending IPSec peer is transmitting traffic that is not
acceptable to the receiving peer at the policy level.
- Action:
- Reconfigure the peer to stop the offending traffic, reconfigure
the local peer to accept the traffic, or ignore the offence.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.012 Disc pkt_proto
pkt direction
source_ip_address
: no coproc API struct avail, nt Network ID
- Long Syntax:
- ISEC.012 Discarding pkt_proto
packet direction
source_ip_address
: no cryptographic coprocessor API struct available, net Network ID
- Description:
- No crypto coprocessor API struct was available, either in the
free list of from the memory heap, making the IPSec packet
unprocessable, forcing the packet to be dropped.
- Cause:
- Low memory or high traffic.
- Action:
- Ignore or add memory.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.013 Disc ipsec_prot
/ auth_alg
out pkt source_ip_address
-> dest_ip_address
: auth seq wrap, nt Network ID
- Long Syntax:
- ISEC.013 Discarding ipsec_prot
/ auth_alg
outbound packet source_ip_address
-> dest_ip_address
: authentication sequence wrapping, net Network ID
- Description:
- Sequnce Number may not be incremented past 0xffffffff.
Discarding packet.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.014 Disc ipsec_prot
/ auth_alg
out pkt source_ip_address
-> dest_ip_address
: auth generation failed, nt Network ID
- Long Syntax:
- ISEC.014 Discarding ipsec_prot
/ auth_alg
outbound packet source_ip_address
-> dest_ip_address
: authentication generation failed, net Network ID
- Description:
- The software failed to generate an authentication for
an outbound packet. Discarding packet.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.015 Disc pkt_proto
pkt src_ip_address
-> dest_ip_address
: pkt matched DISCARD pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.015 Discarding pkt_proto
packet src_ip_address
-> dest_ip_address
: packet matched DISCARD policy profile_name
. policy_name
, net Network ID
- Description:
- This message is displayed when the IPSec SPD discards a packet
because the configured action for the matching policy was DISCARD.
- Cause:
- The router attempted to send a packet of a particular type to a
destination which the administrator has disallowed via the
DISCARD action in the matching IPSec SPD policy.
- Action:
- Note the presence of unwanted traffic.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.016 Disc pkt_proto
pkt src_ip_address
-> dest_ip_address
: no matching SPD pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.016 Discarding pkt_proto
packet src_ip_address
-> dest_ip_address
: no matching SPD policy profile_name
. policy_name
, net Network ID
- Description:
- This message is displayed when the IPSec SPD discards a packet
because no matching SPD policy is present to allow passage.
- Cause:
- The router attempted to send a packet of a particular type to a
destination which the administrator has disallowed via the
DISCARD action in the matching IPSec SPD policy.
- Action:
- If the traffic in question should not be discarded, create a new
policy to grant it passage.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.017 Disc pkt src_ip_address
-> dest_ip_address
: can't alloc SA bundle pol profile_name
. policy_name
- Long Syntax:
- ISEC.017 Discarding packet src_ip_address
-> dest_ip_address
: can't allocate SA bundle structure for policy profile_name
. policy_name
- Description:
- This message is displayed when the IPSec must refused to transmit
an outbound packet due to inadequate heap memory conditions.
- Cause:
- The router's heap is full, preventing an SA bundle structure from
being allocatable.
- Action:
- Increase the amount of available heap memory.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.018 Disc pkt_proto
pkt src_ip_address
-> dest_ip_address
: IKE refused to create SA, pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.018 Discarding pkt_proto
packet src_ip_address
-> dest_ip_address
: IKE refused to create SA, policy profile_name
. policy_name
, net Network ID
- Description:
- This message is displayed when IKE returns a failure code indicating
the inability to create an SA to the destination peer at this time.
- Cause:
- An internal IKE error occurred, preventing delivery of an SA.
- Action:
- Report to OpenROUTE customer service.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.019 Attempt to direction
non-existent SA bundle action
IKE peer ike_peer_address
- Long Syntax:
- ISEC.019 Attempt to direction
non-existent SA bundle action
IKE peer ike_peer_address
- Description:
- This message is displayed if IKE issues an add or commit to an
SA bundle that IPSec data structures cannot identify.
- Cause:
- The administrator has deleted an SPD policy that had one or more
bundle's awaiting remote completion.
- Action:
- Ignore if the above cause is in effect.
- Cause:
- An internal IKE or IPSec error occurred.
- Action:
- Report to OpenROUTE customer service.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.020 in_pol= policy_profile
. policy_name
DROP ( policyAction
) prt= protocol
src_ip
-> dst_ip
ports= src_port
-> dst_port
nt Network ID
- Long Syntax:
- ISEC.020 Inbound_policy= policy_profile
. policy_name
DROP ( policyAction
) protocol= protocol
src_ip
-> dst_ip
ports= src_port
-> dst_port
net Network ID
- Description:
- This message traces the result of inbound IPSec policy lookups.
The lookup was unsuccessful. Packet discarded.
NoMatch means that the packet matched no rule, but since
the default rule is discard, the packet is still discarded.
Protect means that a packet arrived that should have been
encrypted but was not.
Ports values are meaningful only if the protocol is TCP or UDP.
Policy name is "no.match" if the packet matched no policy.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.021 Drop pkt src_ip_address
-> dest_ip_address
: reason
, nt Network ID
- Long Syntax:
- ISEC.021 Drop packet src_ip_address
-> dest_ip_address
: reason
, net Network ID
- Description:
- This message is displayed if a packet will be dropped due to the
specified reason.
- Action:
- Report to OpenROUTE customer service.
- Level:
- UE-ERROR
- Short Syntax:
- ISEC.022 IKE bundle pol profile_name
. policy_name
offer from peer ike_peer_address
contains no SAs: ignoring
- Long Syntax:
- ISEC.022 IKE bundle policy profile_name
. policy_name
offer from peer ike_peer_address
contains no SAs: ignoring
- Description:
- This message is displayed if IKE passes IPSec an SA bundle
offer that is empty, i.e. contains no SAs.
- Cause:
- IKE protocol error.
- Action:
- Report to OpenROUTE customer service, along with peer router type.
- Level:
- C-INFO
- Short Syntax:
- ISEC.023 direction
SA prot protocol_id
is in the ' state
' state
- Long Syntax:
- ISEC.023 direction
SA protocol protocol_id
has reached the ' state
' state
- Description:
- An SA (in the stated direction) has reached the indicated
state.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.024 Disc ipsec_proto
pkt src_ip_address
-> dest_ip_address
: SA missing from bundle pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.024 Discarding ipsec_proto
packet src_ip_address
-> dest_ip_address
: SA missing from bundle policy profile_name
. policy_name
, net Network ID
- Description:
- This message is displayed when IPSec begins to transmit a packet
onto an SA within a bundle, and the nth SA in the bundle isn't present.
- Cause:
- Internal error.
- Action:
- Report to OpenROUTE customer support.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.025 Slow-path input ipsec_proto
src_ip_address
-> dest_ip_address
, nt Network ID
- Long Syntax:
- ISEC.025 Slow-path input ipsec_proto
src_ip_address
-> dest_ip_address
, nt Network ID
- Description:
- This message exists solely for tracing the frequency of
slow-path operation.
- Cause:
- Normal slow-path operation.
- Action:
- None
- Level:
- UE-ERROR
- Short Syntax:
- ISEC.026 Disc slow IPSec ipsec_proto
input src_ip_address
-> dest_ip_address
: IPSec not enabled on nt Network ID
- Long Syntax:
- ISEC.026 Discarded slow IPSec ipsec_proto
input src_ip_address
-> dest_ip_address
: IPSec not enabled on nt Network ID
- Description:
- This message traces LOCALLY-DESTINED IPSec packets discarded for lack
of an IPSec interface.
- Cause:
- Arrival of non-configured traffic.
- Action:
- Enable IPSec if present and desired.
- Level:
- C-INFO
- Short Syntax:
- ISEC.027 direction
Bndl profile_name
. policy_name
State Chng ' old_state
' -> ' new_state
'
- Long Syntax:
- ISEC.027 direction
Bundle profile_name
. policy_name
State Change ' old_state
' -> ' new_state
'
- Description:
- This message traces changes in the IPSec Bundle State.
- Level:
- C-TRACE
- Short Syntax:
- ISEC.028 MATCH IKE ( peer_ip_address
-> your_ip_address
) proposal: sa= src_addressing
da= dst_addressing
prt= protocol
sp= src_port
dp= dst_port
- Long Syntax:
- ISEC.028 MATCH IKE ( peer_ip_address
-> your_ip_address
) proposal: sa= src_addressing
da= dst_addressing
prt= protocol
sp= src_port
dp= dst_port
- Description:
- A Phase 2 proposal has been received and
has successfully matched the addressing in a policy in our
inbound Policy Database.
The addressing information is displayed.
Special addressing values are:
0 for protocol means any protocol.
0 for port means any port.
0.0.0.0&0.0.0.0 for an address means any IP address.
Like the Policies, source and destination displayed
are from an inbound packet's point of view.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.029 IKE added too many SAs: reclaiming SA bundle pol profile_name
. policy_name
: nt Network ID
- Long Syntax:
- ISEC.029 IKE added too many SAs: reclaiming SA bundle policy profile_name
. policy_name
: net Network ID
- Description:
- This message indicates that IKE tried to add more SAs to an
IPSec SA bundle than IPSec is configured to allow.
- Cause:
- Internal error.
- Action:
- Inform OpenROUTE technical support.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.030 Can't alloc SA and key/IV/history space: bndl pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.030 Can't alloc SA and key/IV/history space: bundle policy profile_name
. policy_name
, net Network ID
- Description:
- Router heap memory was unavailable when IPSec tried to allocate buffer
space for an SA and its authentication or encryption key and IV space.
- Cause:
- Memory utilization too high.
- Action:
- Take steps to conserve router heap memory.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.031 MISMATCH IKE ( peer_ip_address
-> your_ip_address
) proposal: sa= src_addressing
da= dst_addressing
prt= protocol
sp= src_port
dp= dst_port
- Long Syntax:
- ISEC.031 MISMATCH IKE ( peer_ip_address
-> your_ip_address
) proposal: sa= src_addressing
da= dst_addressing
prt= protocol
sp= src_port
dp= dst_port
- Description:
- Same as ISEC_28, but not successful.
Like the Policies, source and destination displayed
are from an inbound packet's point of view.
- Cause:
- In the configuration that relates to the peer,
The Peer's addressing configuration should be a
mirror image of yours.
- Action:
- Compare your configuration to your the Peers.
Verify rules for source address, desintation address, protocol,
source port, desintation port. Any specific source/destination
rules should be reversed between you and your peer.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.032 No compress buf avail, sending pkt uncompressed source_ip_address
-> dest_ip_address
, nt Network ID
- Long Syntax:
- ISEC.032 No compression buffer available, sending packet uncompressed source_ip_address
-> dest_ip_address
, net Network ID
- Description:
- This message is displayed when IPSec attempts to obtain a buffer
into which an IPComp packet can be compressed, and none is available.
- Cause:
- Saturation of available I/O buffers.
- Action:
- Increase the number of global buffers allocated within the router,
if feasible.
- Level:
- UE-ERROR
- Short Syntax:
- ISEC.033 comp_alg
compress failed on pkt src_ip_address
-> dest_ip_address
: sent uncompressed, net Network ID
- Long Syntax:
- ISEC.033 comp_alg
compression failed on packet src_ip_address
-> dest_ip_address
: sent uncompressed, net Network ID
- Description:
- This message is displayed when IPComp compresses a packet
and the compression operation fails to complete successfully.
- Cause:
- A network packet failed to compress correctly.
- Action:
- None.
- Level:
- UE-ERROR
- Short Syntax:
- ISEC.034 protocol
SA seqNum would wrap, can't send: bndl pol profile_name
. policy_name
src_addr
direction
peer_addr
: nt Network ID
- Long Syntax:
- ISEC.034 protocol
SA seqNum would wrap, can't send: bundle policy profile_name
. policy_name
src_addr
direction
peer_addr
: net Network ID
- Description:
- This message is displayed when too many (2^32) packets have been
sent on an SA. IPSec is not allowed to send more than (2^32)
packets on the SA, so the entire bundle is torn down.
- Cause:
- Administrator failed to replace the SA bundle before it expired.
- Action:
- Replace the SA bundle with fresh keying material and SPIs.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.035 IPSec dsbld on nt Network ID
. Pkt snt to IP
- Long Syntax:
- ISEC.035 IPSec is disabled on net Network ID
. Packet will be sent to IP.
- Description:
- This message is generate for each packet received on an IPSec
disabled interface.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.036 IP unadded_address
not added to IPSec intf: max_addresses
addrs bound: nt Network ID
- Long Syntax:
- ISEC.036 IP unadded_address
not added to IPSec interface: max_addresses
addresses already bound: nt Network ID
- Description:
- A fixed number of local IP addresses may be bound to an IPSec
interface. This message is displayed if that limit is exceeded
in the user's configuration.
- Cause:
- The user has configured more than the maximum number of
assignable IP addresses to the IPSec interface, and the
specified address was unable do bind.
- Action:
- Reduce the number of local addresses configured on the IPSec interface.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.037 Disc ipsec_prot
/ encr_alg
pkt src_ip_address
-> dest_ip_address
: encryption failed, nt Network ID
- Long Syntax:
- ISEC.037 Discarding ipsec_prot
/ encr_alg
packet src_ip_address
-> dest_ip_address
: encryption failed, net Network ID
- Description:
- Coprocessor-based decryption of the packet failed.
- Cause:
- Unknown.
- Action:
- May be ignored if modification was due to rare network corruption.
- Level:
- UI-ERROR
- Short Syntax:
- ISEC.038 Disc ipsec_proto
pkt source_ip_address
-> dest_ip_address
: no decompress buf avail pol profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.038 Discarding ipsec_proto
packet source_ip_address
-> dest_ip_address
, no decompression buffer available policy profile_name
. policy_name
, net Network ID
- Description:
- This message is displayed when IPSec attempts to obtain a buffer
into which an IPComp packet can be decompressed, and the packet
must be discarded due to lack of available buffers.
- Cause:
- Saturation of available I/O buffers.
- Action:
- Increase the number of global buffers allocated within the router.
- Level:
- C-INFO
- Short Syntax:
- ISEC.039 Destroy SA: SPI spi
Dest IP Adr dest_ip_addr
Prot sec_protocol
- Long Syntax:
- ISEC.039 Destroying SA identified by SPI spi
Destination IP Address dest_ip_addr
Security Protocol sec_protocol
- Description:
- The identified SA is being destroyed. This will usually occur when
a bundle is being destroyed.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.040 Rcvd ICMP PMTU mtu= ICMP_PMTU_value
source_ip_address
-> destination_ip_address
- Long Syntax:
- ISEC.040 Received an ICMP PMTU message ICMP_PMTU_value
source_ip_address
-> destination_ip_address
- Description:
- The router received an ICMP Path MTU "too big" message (RFC 1191),
indicating that a packet sent was too big and was unable to be
fragmented for some reason. The "source" IP address indicates the
router whose next hop MTU is too small for the packet.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.041 Bndl pol prof_name
. pol_name
PMTU excd, pkt drpd, pmtu= pmtu_value
pkt= iorb_ibreq
src_address
-> dest_address
- Long Syntax:
- ISEC.041 Bundle policy prof_name
. pol_name
PMTU value exceeded pmtu_value
iorb_ibreq
for packet src_address
-> dest_address
- Description:
- The router is trying to send an IPSec packet which exceeds the stored
PMTU value for the associated bundle. Packet is dropped, and an ICMP
PMTU packet is sent back to the source IP address.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.042 Sending proto protocol
source_ip_address
-> destination_ip_address
- Long Syntax:
- ISEC.042 IPSec sending protocol protocol
source_ip_address
-> destination_ip_address
- Description:
- This message is generated for non-IPSec packets sent by IPSec.
ISEC_53 reports IPSec packets.
- Level:
- C-INFO
- Short Syntax:
- ISEC.043 Add IPSec addr ip_address
on Network ID
- Long Syntax:
- ISEC.043 Add IPSec address ip_address
on nt Network ID
- Description:
- The displayed address is now recognized by IPSec as a
valid address to receive IPSec-encrypted traffic on this interface.
These messages occur when IP comes up on an interface.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.044 in_pol= policy_profile
. policy_name
( policyAction
) prot= protocol
src_ip
-> dst_ip
ports= src_port
-> dst_port
nt Network ID
- Long Syntax:
- ISEC.044 Inbound_policy= policy_profile
. policy_name
( policyAction
) protocol= protocol
src_ip
-> dst_ip
ports= src_port
-> dst_port
net Network ID
- Description:
- This message traces the result of inbound IPSec policy lookups.
The lookup was successful. Packet passed.
Ports values are meaningful only if the protocol is TCP or UDP.
- Level:
- C-INFO
- Short Syntax:
- ISEC.045 direction
SA bundle freed, rsn= reason
( fromPeerAddress
-> toPeerAddress
) pol= profile_name
. policy_name
, nt Network ID
- Long Syntax:
- ISEC.045 direction
SA bundle freed, reason= reason
( fromPeerAddress
-> toPeerAddress
) policy= profile_name
. policy_name
net Network ID
- Description:
- An SA bundle is being freed for the displayed reason.
The Peer IP addresses are given. The associated policy is given.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.046 Can't send over expired SA bundle pol profile_name
. policy_name
, peer peerAddress
, nt Network ID
- Long Syntax:
- ISEC.046 Can't send traffic over expired SA bundle policy profile_name
. policy_name
, peer peerAddress
, net Network ID
- Description:
- A manual (static) SA bundle has expired and has been destroyed.
This message displays for every packet which the router attempts
to send on the non-existent SA bundle.
- Level:
- CI-ERROR
- Short Syntax:
- ISEC.047 alloc fld, routineOrBlockName
, size size
- Long Syntax:
- ISEC.047 alloc failed, routineOrBlockName
, size size
- Description:
- Failed to allocate memory of the specified size for the specified
data structure or in the specified routine.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.048 replay check failed for AH/ESP
seq curSeq
peerIPAddr
-> destIPAddr
, last seq lastSeq
- Long Syntax:
- ISEC.048 replay check failed for AH/ESP
seq curSeq
peerIPAddr
-> destIPAddr
, last highest seq lastSeq
- Description:
- We have received a sequence number that was previously seen by us
from the specified peer. Hence we do not accept the packet for it
may have been replayed to us by an imposter, or it could be a
duplicate.
- Level:
- C-INFO
- Short Syntax:
- ISEC.049 Compressed pkt no smaller, sending uncompr src_ip_address
-> dest_ip_address
, nt Network ID
- Long Syntax:
- ISEC.049 Compressed packet no smaller, sending uncompressed src_ip_address
-> dest_ip_address
, net Network ID
- Description:
- This message is displayed when IPComp compresses a packet without
error, but the resulting packet is larger than the original --
at least once a 4-byte IPComp header has been inserted.
- Cause:
- Either the data was not compressible or the packet was smallish.
- Action:
- None.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.050 Mismatch- paramName
: init= initiatorValue
, resp= responderValue
(prop# responderPropNum
), nt Network ID
- Long Syntax:
- ISEC.050 Mismatch- paramName
: init= initiatorValue
, resp= responderValue
(proprosal# responderPropNum
), nt Network ID
- Description:
- This message traces local evaluation of IPSec SA bundle proposals
received from remote IKE peers. Though verbose, it does fully
detail the parameters about which the peers agree or disagree.
- Cause:
- IKE has received an IPSec SA bundle proposal from a remote IKE peer
and has passed it down to the IPSec policy engine for evaluation.
- Action:
- If the peers fail to converge, use the parameter information
provided by this message to adjust the mismatching parameter(s)
so that convergence and communication can be achieved.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.051 Mismatch- paramName
: init= initatorValue
, resp= responderValue
(prop# responderPropNum
), nt Network ID
- Long Syntax:
- ISEC.051 Mismatch- paramName
: init= initatorValue
, resp= responderValue
(prop# responderPropNum
), nt Network ID
- Description:
- This message traces local evaluation of IPSec SA bundle proposals
received from remote IKE peers. Though verbose, it does fully
detail the parameters about which the peers agree or disagree.
- Cause:
- IKE has received an IPSec SA bundle proposal from a remote IKE peer
and has passed it down to the IPSec policy engine for evaluation.
- Action:
- If the peers fail to converge, use the parameter information
provided by this message to adjust the mismatching parameter(s)
so that convergence and communication can be achieved.
- Level:
- C-INFO
- Short Syntax:
- ISEC.052 IPSec old_state
-> new_state
on nt Network ID
- Long Syntax:
- ISEC.052 IPSec old_state
-> new_state
on net Network ID
- Description:
- This message reports IPSec state transitions on an interface.
Note that unless the "save" command is issued in T5, the change
in IPSec status on the interface will not persist when the
router is next booted.
- Cause:
- The user altered the state of IPSec on the interface in T5.
- Action:
- None.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.053 Sending protocol_string
encap pkt source_ip_address
-> destination_ip_address
- Long Syntax:
- ISEC.053 Sending protocol_string
encapsulated packet source_ip_address
-> destination_ip_address
- Description:
- This message is generated for IPSec packets sent by IPSec.
ISEC_42 reports non-IPSec packets.
- Level:
- P-TRACE
- Short Syntax:
- ISEC.054 Rcvd pkt had protocol_string
encap
- Long Syntax:
- ISEC.054 Received packet had protocol_string
encapsulation
- Description:
- This message reports the IPSec encapsulation of the packet whose
receipt was reported in ISEC_9.
- Level:
- CE-ERROR
- Short Syntax:
- ISEC.055 rw profile profile_name
for peer peer_name
not attached or empty
- Long Syntax:
- ISEC.055 roadwarrior profile profile_name
for peer peer_name
is not attached or is empty
- Description:
- This message is displayed to indicate that the roadwarrior profile
is not attached to the interface or the roadwarrior profile
has no policies. This effectively blocks the roadwarrior connection
since no dynamic policies can be instantiated until
the roadwarrior profile template policies are located on the interface.
- Cause:
- The roadwarrior profile is not attached to the interface.
- Action:
- Attach the profile to the interface.
- Action:
- None. The administrator may have purposely not attached the
profile to block IPSec roadwarrior access on
this specific router interface.
- Cause:
- The roadwarrior policy is attached to the interface, but
has no policies defined.
- Action:
- Add a policy to the profile.