HP-UX IPSec version A.02.00 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 5 187
using a web proxy server to access the VeriSign Managed PKI Control
Center, verify the proxy server configuration (run ipsec_mgr, click on
the Options menu, select System, then select Proxy Information).
Have the Managed PKI Administrator use the View Certificates area of
the Managed PKI Control Center to check for an existing certificate. If a
certificate already exists for your system, the VeriSign CA rejects any
requests for a new certificate.
Restarting Registration If VeriSign registration fails, the associated
files may be left in an unusable state. You must reset them before trying
to reregister. To do this, change the pending field in
/var/adm/ipsec/cainfo.txt to false and verify that the VeriSign
domain name and CA address are correct, as follows:
begin verisign
pending: false
domain:
name_of_domain
caserver:
VeriSign_CA_address
You must also delete the /var/adm/ipsec/javabeans.txt and
/var/adm/ipsec/certs.txt files.
Check the Managed PKI Control Center for an already existing
certificate request or certificate, and deny or revoke it before restarting
the registration process.
Security Policy Database Limit Exceeded (Kernel
Policy Cache Threshold reached or Kernel Policy
Cache Threshold exceeded)
Problem
The Security Policy Database (SPD) is near or exceeding the soft or hard
size limit.
Symptoms
The SPD is the HP-UX IPSec runtime policy database, with cached
policy decisions for packet descriptors (five-tuples consisting of exact,
non-wildcard source IP address, destination IP address, protocol, source
port, and destination port).