Manualshelf

HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
181182183184185186187188189190
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 5178
Symptoms
Output from the ipsec_report -sad command does not show IPSec/QM
SAs and the audit log contains Quick Mode processing failed or QM
negotiation timeout error messages.
Solution
Run ipsec_policy to determine the IPSec policy that HP-UX IPSec is
using, or execute the ipsec_report -cache and ipsec_report -host
commands.
Check the transform list and lifetimes. Check the audit file.
Additional Information
If the ISAKMP/MM SA negotiation succeeded but the IPSec/QM SA
negotiation failed, you will probably not see any ISAKMP/MM SAs in the
output of the ipsec_report -mad command. This is because the HP-UX
IPSec IKE daemon tears down an ISAKMP/MM SA if an IPSec/QM SA
negotiation fails. To be sure that the ISAKMP/MM negotiation succeeded
and that IKE actually attempted to negotiate the IPSec/QM SA, look for
Quick Mode processing failed or QM negotiation timeout error
messages in the audit file. A QM negotiation timeout error usually
indicates that the remote system did not agree with the IPSec/QM SA
proposal and chose not to respond.
Check which IPSec policy is being used with the ipsec_policy
command. Check the IPSec policy configurations for mismatches.
Manual Keys Fail
Problem
Manual keys do not work.
Symptoms
Link errors (unable to connect) and timeouts. The output from the
ipsec_report -sad command shows the SAs, but attempts to exchange
data with the remote system fail.