ELS Messages for Simple Key Interchange Protocol (SKIP) Subsystem
- Level:
- UI-ERROR
- Short Syntax:
- SKIP.001 Too many encaps, drop pkt
- Long Syntax:
- SKIP.001 Too many encapsulations, dropping packet
- Description:
- The tunnel header can not be prepended to the packet due to
insufficient header space.
- Cause:
- The packet is passing through multiple tunnels.
- Action:
- Reconfigure to guarantee packets only pass through one tunnel.
- Level:
- UI-ERROR
- Short Syntax:
- SKIP.002 Missing alg, rfsd conn req, dest name
- Long Syntax:
- SKIP.002 Missing algorithm, refusing connection request, destination name
- Description:
- An encryption or signature algorithm selected by the router
configuration is not available in the currently executing
software. The router refuses to pass packets to the specified
destination until the problem is corrected.
- Cause:
- The executing router software does not support the encryption
or signature algorithms selected by the configuration.
- Action:
- Execute a different version of router software or reconfigure
this destination to use encryption and signature algorithms which
are available.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.003 Unrecog ver= Version
, dest name
- Long Syntax:
- SKIP.003 Unrecognized version= Version
, destination name
- Description:
- A SKIP packet has a different revision than that supported
by the router. The router supports SKIP version 1.0.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.004 Unrecog type
alg, ID= identifier
, dest name
- Long Syntax:
- SKIP.004 Unrecognized type
algorithm, ID= identifier
, destination name
- Description:
- A SKIP packet from the named remote destination is requesting
an unsupported encryption or authentication algorithm.
- Action:
- Execute a different version of router software or reconfigure
the named remote system.
- Level:
- C-INFO
- Short Syntax:
- SKIP.005 Remote dest name
rekeyed
- Long Syntax:
- SKIP.005 Remote destination name
rekeyed
- Description:
- SKIP periodically changes the bulk encryption and authentication
secret keys. This event notes the remote router has just changed
the keys which are being used for output packets.
- Action:
- None. This message is just informational.
- Level:
- C-INFO
- Short Syntax:
- SKIP.006 Rekeying, dest name
- Long Syntax:
- SKIP.006 Rekeying, destination name
- Description:
- SKIP periodically changes the bulk encryption and authentication
secret keys. This event notes the local router has just changed
the keys which are being used for output packets.
- Action:
- None. This message is just informational.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.007 Unrecog SPI identifier
from name
- Long Syntax:
- SKIP.007 Unrecognized Security Parameter Index identifier
from name
- Description:
- A SKIP packet was received with an invalid Security Parameter
Index. The only valid value is 1. The packet is discarded.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.008 Invalid auth sig len bad
, expect good
, from name
- Long Syntax:
- SKIP.008 Invalid authentication signature length bad
, expected good
, from name
- Description:
- A SKIP packet was received with an invalid signature length.
The packet is discarded.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.009 Invalid auth sig from name
- Long Syntax:
- SKIP.009 Invalid authentication signature from name
- Description:
- A SKIP packet was received with an invalid signature.
The packet is discarded.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.010 Decrypt Err from name
- Long Syntax:
- SKIP.010 Decryption Error from name
- Description:
- The decryption of an inbound SKIP packet failed.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.011 Unk payload prot protocol
from name
- Long Syntax:
- SKIP.011 Unknown payload protocol protocol
from name
- Description:
- The data within the SKIP packet is identified by an unknown
protocol number.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.012 Unauth pkt rcvd and dropped from name
- Long Syntax:
- SKIP.012 Unauthenticated packet received and dropped from name
- Description:
- This remote peer is configured to require authentication on all
incoming packets. A packet was received which was not authenticated
therefore it was discarded.
- Level:
- C-INFO
- Short Syntax:
- SKIP.013 Chg flow name
, mstr= ID
, bulk= ID
, auth= ID
, comp= ID
, N= replay time stamp
- Long Syntax:
- SKIP.013 Changed flow from name
, master= ID
, bulk= ID
, auth= ID
, comp= ID
, N= replay time stamp
- Description:
- The remote router can change the type of algorithm used for
computing the master key, bulk encryption, or authentication.
This message announces a change was detected in the current
packet (as compared to the previous SKIP packet).
- Action:
- None. This message is just informational.
- Level:
- UI-ERROR
- Short Syntax:
- SKIP.014 All tnl slots full, refuse con req to dest name
- Long Syntax:
- SKIP.014 All tunnel slots are full, refusing connection req to destination name
- Description:
- The number of simutaneously connected remote endpoints has
reached its configured limit. Additional connection requests
must be refused.
- Action:
- Increase the number of simultaneous endpoints via the Tunnel
configuration commands.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.015 No SKIP name in pkt
- Long Syntax:
- SKIP.015 No SKIP Name in packet
- Description:
- The IP Tunnel sends all packets with unrecognized packets to
the SKIP module. If the packet is NOT a SKIP packet, or if that packet
contains no SKIP name, then the packet must be dropped because its
source (the sender) can not be identified.
- Action:
- Check the configuration of the sender to verify it is including
a local name (source name) which can be used to identify its
data packets.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.016 Incorrect Time Stamp, sb= date/time
, was= date/time
, from name
- Long Syntax:
- SKIP.016 Incorrect Time Stamp, should-be= date/time
, was= date/time
, from name
- Description:
- A SKIP packet from the named remote destination contained
an invalid value for the anti-replay time stamp, 'N'. The
expected time (sb) and actual time value received (was) are
displayed in the message.
- Action:
- Check the time settings on both systems to verify their
clocks are set correctly. Make sure each is using Greenwich
Mean Time to generate their 'N' value.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.017 Unrecog Source Name value/ID
- Long Syntax:
- SKIP.017 Unrecognized Source Name value/ID
- Description:
- A SKIP packet received from an unrecognized source (based on
its source IP address) also contained an unrecognized SKIP
source name and ID. The 'name' contained in the packet is
displayed in the message.
- Action:
- Check the configuration on the remote and the local systems
to verify the name's are configured identically.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.018 Session from destination
rfsd, auth err ' message
'
- Long Syntax:
- SKIP.018 Session from destination
refused, authorization error ' message
'
- Description:
- An incoming SKIP packet which is opening a new communications
session has been refused due an authorization error.
- Action:
- Check the configuration of the interface designated to
accept packets from the specified destination.
- Level:
- UI-ERROR
- Short Syntax:
- SKIP.019 Session from destination
rfsd, conn err ' message
'
- Long Syntax:
- SKIP.019 Session from destination
refused, connect error ' message
'
- Description:
- An incoming SKIP packet which is opening a new communications
session has been refused due to the specified error when
a link was attempted between the SKIP layer and the IP-TUNNEL
layer of the protocol stack.
- Action:
- Contact Customer Service.
- Level:
- UI-ERROR
- Short Syntax:
- SKIP.020 Session from destination
rfsd, conn err ' message
'
- Long Syntax:
- SKIP.020 Session from destination
refused, connect error ' message
'
- Description:
- An incoming SKIP packet which is opening a new communications
session has been refused due to the specified error when
a link was attempted between the SKIP layer and the layer
above SKIP in the protocol stack.
- Action:
- Contact Customer Service.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.021 Inv CDP Pkt rcvd from IP Address
- Long Syntax:
- SKIP.021 Invalid Certificate Discovery Protocol Packet received from IP Address
- Description:
- A remote router or client transmitted an improperly formatted
Certificate Discovery Protocol packet. The packet is dropped.
- Action:
- Contact Customer Service. Check the version of the remote product.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.022 Inv CDP action ( type
) rcvd from IP Address
- Long Syntax:
- SKIP.022 Invalid Certificate Discovery Protocol action ( type
) received from IP Address
- Description:
- A remote router or client transmitted a Certificate Discovery
Protocol packet which requested an operation which is incorrect
for the UDP port used to send the packet. The packet is dropped.
- Action:
- Check the remote software, it may have a bug. Contact Customer
service.
- Level:
- C-INFO
- Short Syntax:
- SKIP.023 CDP GET SKIP Name
rcvd from IP Address
- Long Syntax:
- SKIP.023 Certificate Discovery Protocol GET SKIP Name
received from IP Address
- Description:
- A remote router or client transmitted a Certificate Discovery
Protocol GET packet to learn the local router's public key.
The SKIP name (and type) whose certificate is needed is displayed.
- Action:
- None, this message is informational.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.024 CDP PUT from IP Address
refused
- Long Syntax:
- SKIP.024 Certificate Discovery Protocol PUT received from IP Address
refused
- Description:
- Certificate PUT's (writes) from remote sites are not supported.
- Action:
- Examine the remote site software and reconfigure it to not
issue PUT requests.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.025 CDP GET rejected; no matching certificates
- Long Syntax:
- SKIP.025 Certificate Discovery Protocol GET rejected, no matching certificates
- Description:
- No certificates are available in the local router which match
the SKIP name included in the CDP request.
- Action:
- Verify certificates have been created in the local router
by using the LIST CERTIFICATE and ADD CERTIFICATE commands.
Also verify the remote router has the correct REMOTE-NAME
for the SKIP session which connects to the local router.
That name must be the Name/Hash value displayed by the
LIST CERTIFICATE command on the local router.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.026 Unexpected CDP Pkt rcvd from IP Address
- Long Syntax:
- SKIP.026 Unexpected Certificate Discovery Protocol Packet received from IP Address
- Description:
- A remote router or client transmitted a CDP response packet
when no CDP request was pending.
- Action:
- This rarely occurs when two CDP response packets are received
when just one was expected. This is acceptable. If this error
is reported frequently then the station at the IP address
listed in the event is actively attacking the local router.
- Level:
- C-INFO
- Short Syntax:
- SKIP.027 CDP Response Pkt rcvd from IP Address
- Long Syntax:
- SKIP.027 Certificate Discovery Protocol Response Packet received from IP Address
- Description:
- The local router has received a CDP response in reply to
one of its earlier CDP queries.
- Action:
- None, this message is informational.
- Level:
- C-INFO
- Short Syntax:
- SKIP.028 CDP Response Pkt sent to IP Address
- Long Syntax:
- SKIP.028 Certificate Discovery Protocol Response Packet transmitted to IP Address
- Description:
- The local router has transmitted a CDP response in reply to
the specified remote peer's CDP query.
- Action:
- None, this message is informational.
- Level:
- C-INFO
- Short Syntax:
- SKIP.029 CDP Query name SKIP Name
to IP Address
- Long Syntax:
- SKIP.029 Certificate Discovery Protocol query for SKIP Name
transmitted to IP Address
- Description:
- The local router has transmitted a CDP query to the specified
IP address. The name being looked up is also displayed.
- Action:
- None, this message is informational.
- Level:
- UI-ERROR
- Short Syntax:
- SKIP.030 Unsup NSID ID
for dest name
- Long Syntax:
- SKIP.030 Unsupported Name Space ID ID
for destination name
- Description:
- SKIP's shared secret can be computed via Unsigned Diffie-Helman
or it can be pre-configured. If neither is true then the SKIP
session can not be started.
- Action:
- Manually configure a secret with the ADD SECRET command or
obtain the MD5 signature of the remote router/device's certificate
and enter it as a MD5/UDH name with the SET REMOTE-NAME command.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.031 Que ovrflw, dscrd pkt from IP Address
- Long Syntax:
- SKIP.031 Queue overflow, discarding packet from IP Address
- Description:
- Incoming SKIP packets are queued while SKIP executes the
Certificate Discovery Protocol (CDP) and then uses the
certificates to compute the shared secret used for all SKIP
encryption processing. If this queue overflows then the oldest
packet in the queue is discarded.
- Action:
- None. Upper layer protocols (such as TCP) will retransmit the
packets. This message is just informational.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.032 CDP GET FAIL rcvd from IP Address
- Long Syntax:
- SKIP.032 Certificate Discovery Protocol GET Failure received from IP Address
- Description:
- The remote router did not have a certificate whose name matched
the name sent in our CDP GET request.
- Action:
- Verify the REMOTE-NAME setting for the remote router contains
the correct Name/Hash value listed in the remote router's
certificate. SKIP uses this name/hash value to defend against
certain types of security attacks.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.033 Invalid cert timestamp from IP Address
- Long Syntax:
- SKIP.033 Invalid certificate timestamp from IP Address
- Description:
- A certificate provided from the specified address is not yet
valid or its validity period has expired.
- Action:
- Check the certificates have not expired. The most likely
problem is that the certificate have an 'expires' time
stamp which is earlier than the current time on the local router.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.034 Cert param mismatch from IP Address
- Long Syntax:
- SKIP.034 Certificate parameter mismatch IP Address
- Description:
- The local router does not have a certificate which matches
the parameters provided in the remote router's certificate.
- Action:
- Check the local and remote routers are using the same
LENGTH certificate. This error will occur if one router
is using 512 bit certificates and the other is using 2048.
Add new certificates of the correct length at either router
to assure the both have the same length certificate parameters.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.035 Cert for name
expired. Disconnecting.
- Long Syntax:
- SKIP.035 Certificate for name
expired. Disconnecting.
- Description:
- The certificate used for encrypted/authenticate traffic to
the specified remote router has expired. The session to the
remote router is terminated.
- Action:
- None. The local router will attempt to restore the session
and that will initiate a NEW certificate discovery which
should provide a new certificate.
- Level:
- ALWAYS
- Short Syntax:
- SKIP.036 SKIP Certificate Management Copyright (C) 1994, 1995 Sun Microsystems, Inc.BigNum multiprecision integer math library Copyright (c) 1995 Colin Plumb.
- Long Syntax:
- SKIP.036 SKIP Certificate Management Copyright (C) 1994, 1995 Sun Microsystems, Inc.BigNum multiprecision integer math library Copyright (c) 1995 Colin Plumb.
- Description:
- The following is the Sun Microsystems SKIP Copyright.
"Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software or derivatives of the Software, and to
permit persons to whom the Software or its derivatives is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
The Software must not be transferred to persons who are not US
citizens or permanent residents of the US or exported outside
the US (except Canada) in any form (including by electronic
transmission) without prior written approval from the US
Government. Non-compliance with these restrictions constitutes
a violation of the U.S. Export Control Laws.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL SUN MICROSYSTEMS, INC., BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR DERIVATES OF THIS SOFTWARE OR
THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of Sun Microsystems, Inc.
shall not be used in advertising or otherwise to promote
the sale, use or other dealings in this Software or its derivatives
without prior written authorization from Sun Microsystems, Inc."
The following is the BigNum multiprecision integer math library Copyright.
"Under copyright law, you may not copy nor modify this work without my
permission. I grant limited permission, as follows, to any recipient
of this software ("you") only if, in consideration of this grant of
license, you agree to the following terms. You may use and distribute
copies of this software freely, in source code or compiled form, for
the purpose of using Sun's reference SKIP implementation. You may
modify it to further that end, and distribute the resultant derivative
work, but only if you do so under these same terms, and send me a copy
of your source code modifications with permission for me to use and
distribute them as I wish (you may place your modifications in the
public domain, assign me the copyright, or grant me an unlimited
license to modify and distribute them). I may grant permission to use
this under other terms, if you ask me. For licensing under alternate
terms, contact Philip Zimmermann ."
- Level:
- UI-ERROR
- Short Syntax:
- SKIP.037 Invalid nsid or value, rfsd conn req, dest name
- Long Syntax:
- SKIP.037 Invalid name space ID or value, refusing connection request, destination name
- Description:
- The SKIP source name space configured for the named remote
destination is not supported by the current router load or
that name selection refers to data which is not available
in the router configuration.
- Cause:
- The most likely cause is the selection of a SKIP local name
which refers to a local UDH certificate which is not present.
- Action:
- Verify the certificates referenced as "Local UDH" in the SKIP
local names are present. Add those certificates which are missing.
- Level:
- UI-ERROR
- Short Syntax:
- SKIP.038 Time on the local router is not set.
- Long Syntax:
- SKIP.038 Time on the local router is not set.
- Description:
- The time (clock) is NOT set on the local router. The
time-of-day is required by SKIP so any use of SKIP
is rejected until the time is set via the TIME SET command.
- Action:
- Use the TIME SET command to set the router's clock. An
external time server is recommended so the router can get
the time-of-day automatically after a restart or reload.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.039 Unrecog src name skip name
from dest peer name
- Long Syntax:
- SKIP.039 Unrecognized source name skip name
for destination peer name
- Description:
- The source name ID and value contained in a packet received
from the specified destination did not match the remote
name configured for that destination.
- Action:
- Verify the REMOTE-NAME configured for this named SKIP peer
the same as the LOCAL-NAME configured within that remote
router or SKIP client.
- Level:
- C-INFO
- Short Syntax:
- SKIP.040 Idle timer for name
expired. Disconnecting.
- Long Syntax:
- SKIP.040 Idle timer for name
expired. Disconnecting.
- Description:
- The configured idle timeout interval for the SKIP encrypted
tunnel to the specified destination has elapsed thus the tunnel
to that remote destination has been disconnected.
- Action:
- None. This is purely an informational message.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.041 Illegal Second CnnRq rcvd for SKIP peer dest_key
.
- Long Syntax:
- SKIP.041 Illegal Second ConnReq received for SKIP peer dest_key
.
- Description:
- The forwarders have sent a connection requests to a destination
when a connection request is already outstanding to that
destination. This should never happen. It could be a result of
a misconfiguration, where two router interfaces have been
configured with the same destination name.
- Action:
- Check router configuration. It is incorrect to have two interfaces
configured for the same destination name.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.042 Illegal CnnRq rcvd for SKIP peer dest_key
. Tunnel alrdy exsts.
- Long Syntax:
- SKIP.042 Illegal ConnReq received for SKIP peer dest_key
. Tunnel already exists.
- Description:
- The forwarders are attempting to create two tunnels to the
same destination. This should never happen. It could be a result of
a misconfiguration, where two router interfaces have been
configured with the same destination name.
- Action:
- Check router configuration. It is incorrect to have two interfaces
configured for the same destination name.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.043 Alloc of Hi/fn 7711 direction
API bfr fld for peer dest_key
- Long Syntax:
- SKIP.043 Allocation of Hi/fn 7711 direction
API buffer failed for peer dest_key
- Description:
- A Hi/fn 7711 API data structure is needed for all communication
between the VPN software and the Hi/fn 7711 driver. If the router
is running low on memory, a new one cannot be allocated. This is
a serious condition.
- Action:
- The router may not have enough memory to run this load.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.044 Can't appnd to direction
pkt for peer dest_key
bfr len bfr_len
- Long Syntax:
- SKIP.044 Can't append to direction
packet for peer dest_key
buffer length bfr_len
- Description:
- The Hi/fn 7711 driver needs room in the data packet buffer
to calcuate the authentication signature, and append the results
structure, encryption padding and KEY authentication key.
This error indicates that the buffer is not big enough to do this.
- Action:
- This error should not happen. Try a smaller MTU or Frame size.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.045 drv
drv op fld: status
for peer dest_key
- Long Syntax:
- SKIP.045 The drv
driver operation failed: status status
for peer dest_key
- Description:
- An error was returned by the specified driver. The status
will indicate which operation failed.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.046 Can't alloc iob for direction
comp for peer dest_key
. Not perf.
- Long Syntax:
- SKIP.046 Can't allocate an iob for direction
compression for peer dest_key
. Not performed
- Description:
- A separate buffer is needed for compression and decompression.
This error indicates that a new buffer could not be allocated,
thus the compression or decompression operation cannot be performed.
If the router is running low on memory, a new iob cannot be allocated.
This is a serious condition.
- Action:
- The router may not have enough memory to run this load.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.047 Inv cmd command
rcv by SKIP SW drv
- Long Syntax:
- SKIP.047 Invalid command command
received by SKIP Software driver
- Description:
- The SKIP Software driver received a command other than
'encode' or 'decode', which are the only two valid commands.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.048 drv
drv op fld: Fatal Error - fe_status
for peer dest_key
- Long Syntax:
- SKIP.048 The drv
driver operation failed: status Fatal Error - fe_status
for peer dest_key
- Description:
- A fatal error was returned by the specified driver. The fe_status
will indicate what caused the fatal error.
- Level:
- UE-ERROR
- Short Syntax:
- SKIP.049 HW RC4 FF error: err_string
- Long Syntax:
- SKIP.049 Hardware RC4 Fast Forward error: err_string
- Description:
- The RC4 state machine is based on the number of bytes sent through
it. When a packet loss is detected, the number of last bytes can
be determined, and used to allocate a new packet. Sending this
new packet through the RC4 state machine will enable us to
continue processing packets. This process is called 'fast forwarding'.
This error message indicates an error encountered during fast
forwarding.