HP-UX IPSec version A.02.01 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 7 227
Step 4. Reboot the system.
If you still have problems after following the troubleshooting procedure,
contact your HP representative.
If HP-UX IPSec is not using the IPsec policy you expected, check for
errors in the configuration file, such is incorrect IP addresses. Check the
order of the IPsec policies—HP-UX IPSec sequentially searches the IPsec
policies and selects the first policy with filter parameters that match the
packet.
Security Policy Database Limit Exceeded (Kernel
Policy Cache Threshold reached or Kernel Policy
Cache Threshold exceeded)
Problem
The Security Policy Database (SPD) is near or exceeding the soft or hard
size limit.
Symptoms
The SPD is the HP-UX IPSec runtime policy database, with cached
policy decisions for packet descriptors (five-tuples consisting of exact,
non-wildcard source IP address, destination IP address, protocol, source
port, and destination port).
When the size of the SPD exceeds the soft limit, HP-UX IPSec logs an
alert message to the system console and the audit file, and logs an
additional alert message for each 1000 SPD entries added. You will see
log messages are similar to the following:
Msg: 20 From: SECPOLICYD Lvl: ALERT Date: Tue Apr 20 11:30:39
2004
Event: Kernel Policy Cache Threshold reached
nnnn
records.
where
nnnn
is the soft limit.
When the hard limit is exceeded, HP-UX IPSec stops adding new entries
to the SPD and stops transmitting and receiving packets that do not
match existing entries in the SPD. You will see log messages are similar
to the following: