HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

171

172

173

174

175

176

177

178

179

180

Troubleshooting HP-UX IPSec

Troubleshooting Scenarios

Chapter 5 173

Symptoms

Link errors (unable to connect) and ipsec_report -sad shows no

IPSec/QM SAs.

Solution

Determine if ISAKMP/MM SA negotiations are succeeding. Run the

following commands:

ipsec_report -mad

ipsec_report -audit

file

Check for Main Mode processing failed, MM negotiation timeout

error messages in the log file.

Additional Information

If HP-UX IPSec is configured to encrypt/authenticate but failing, it will

appear as a connection error (unable to connect or connection timed

out) to the user.

If users are consistently getting connection errors for traffic that should

use HP-UX IPSec for encryption or authentication, check for IPSec/QM

SAs using the following commands:

ipsec_report -sad

ipsec_report -host

Determine if IPSec is successfully creating the ISAKMP/MM SA. Check

for ISAKMP/MM SAs using the following command:

ipsec_report -mad

If there is no ISAKMP/MM SA, HP-UX IPSec may have created an

ISAKMP/MM SA but deleted it when the IPSec/QM SA negotiation

failed. Check the audit log for failed attempts to establish ISAKMP/MM

SAs using the following command:

ipsec_report -audit /var/adm/ipsec/audit

dateinfo

.log

Check the log file for IKMPD Main Mode processing failed error

entries such as the following:

Msg: 31 From: IKMPD LVL: ERROR Date: Wed Oct 31 11:44:10 2001

Event: Main Mode processing failed

Also check the log file for MM negotiation timeout error entries such as

the following: