HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

Troubleshooting HP-UX IPSec

Troubleshooting Scenarios

Chapter 5180

PF_KEY: Invalid SADB_ADD, SPI 0x

nnnn

, errno 22

Verify that the SPI number in the audit message matches a manual key

SPI. Examine the STREAMS log messages to verify that the error is

caused by a weak encryption key, as described in “Examining STREAMS

Logging Records” on page 180. See Chapter 7, “Selecting Encryption

Keys” on page 209 for information on generating strong encryption keys.

STREAMS Logging Messages and Additional Audit File Entries

In most cases, little information is logged when manual keys fail because

there is no IKE or IPSec SA negotiation. The ipsec_report -sad and

ipsec_report -host active output show the SAs when the SA

information is added to the runtime database, even if the SAs are not

acceptable to the remote system. To view additional data that may

include information about manual key SAs, use the following procedures

to examine the STREAMS logging records and additional audit file

entries.

Examining STREAMS Logging Records You can use the strace

utility to view STREAMS log records, or use the following procedure to

examine the nettl log file for entries logged by the HP-UX IPSec

STREAMS modules.

1. Execute the following command to determine the current nettl log

file (the default is /var/adm/nettl.LOG000) and the current log

classes for the STREAMS subsystem:

nettl -ss

The default STREAMS log classes are error and disaster. If the

STREAMS log classes do not include the error and disaster classes,

use the nettl command to set them. You can do this by executing a

command similar to the following command:

nettl -log e d -e streams

2. Format the current nettl log file. You can do this by executing a

command similar to the following command:

netfmt /var/adm/nettl.LOG000 > my_log_output

3. If the STREAMS log classes did not previously include the error and

disaster classes, re-create the manual key problem.

4. Examine the output and search for records logged by HP-UX IPSec

streams modules. Search for the string ipsec.