HP-UX IPSec version A.02.00 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 5188
When the size of the SPD exceeds the soft limit, HP-UX IPSec logs an
alert message to the system console and the audit file, and logs an
additional alert message for each 1000 SPD entries added. You will see
log messages are similar to the following:
Msg: 20 From: SECPOLICYD Lvl: ALERT Date: Tue Apr 20 11:30:39
2004
Event: Kernel Policy Cache Threshold reached
nnnn
records.
where
nnnn
is the soft limit.
When the hard limit is exceeded, HP-UX IPSec stops adding new entries
to the SPD and stops transmitting and receiving packets that do not
match existing entries in the SPD. You will see log messages are similar
to the following:
Msg: 55 From: SECPOLICYD Lvl: ALERT Date: Tue Apr 20 12:14:42
2004
Event: Kernel Policy Cache Threshold exceeded
nnnn
records.
where
nnnn
is the hard limit.
Solution
Use the following ipsec_config commands to set and configure new SPD
soft and hard limits:
ipsec_config add startup -spd_soft
spd_soft_limit
ipsec_config add startup -spd_hard
spd_hard_limit
The
spd_soft_limit
and
spd_hard_limit
are specified in units of 1000
entries. Refer to the ipsec_config (1M) manpage for more information.
You can also use the ipsec_admin -spd_soft
spd_soft_limit
and
ipsec_admin -spd_hard
spd_hard_limit
commands to set new SPD
soft and hard limits. Refer to the ipsec_admin (1M) manpage for more
information.