HP-UX IPSec version A.02.00 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 5174
Msg: 413 From: IKMPD Lvl: ERROR Date: Fri Mar 15 07:14:18
2002
Event: MM negotiation timeout, src 15.2.2.2
If there is a mismatch in IKE policies, some IKE daemons do not respond
to negotiation attempts. This causes a MM negotiation timeout error
on the connecting system.
ISAKMP/MM SA Negotiation Fails (Main Mode
processing failed, MM negotiation timeout)
Problem
ISAKMP/MM SA negotiation fails.
Symptoms
The output from ipsec_report -mad output does not show the
ISAKMP/MM SA. The audit log contains a Main Mode processing
failed or MM negotiation timeout error entry.
Solution
Determine whether the ISAKMP/MM SA is absent because the
ISAKMP/MM negotiation failed or because the successfully negotiated
ISAKMP/MM SA was deleted when an IPSec/QM negotiation failed.
Run the following commands:
ipsec_admin -auditlvl informative (or debug)
ipsec_report -audit
audit_file_name
[-entity ikmpd]
ipsec_admin trace (check for packets to and from UDP port 500)
Additional Information
If there is no ISAKMP/MM SA to the remote system, the ISAKMP/MM
SA negotiation may be failing.
If IPSec/QM negotiations fail, the remote IKE sends the HP-UX IKE
daemon notification that the negotiation failed. The HP-UX IKE daemon
then notifies the peer IKE daemon that it wants to delete the
ISAKMP/MM SA that was used for the failed IPSec/QM negotiation.