HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

Reporting Problems

Be sure to include the following information when reporting problems:

• A complete description of the problem and any error messages. Include information about:

— the local system (IP addresses)

— IP addresses of relevant remote systems

— routing table information (netstat -rn output) if appropriate

Also include a description of what works and what does not work.

• Output from the ipsec_admin -status command.

• Output from the ipsec_report -all command.

• Output from the ipsec_report -audit audit_file -file output_file command for

additional audit files. The ipsec_report -all output includes the contents of the current

audit file, but you may need to collect multiple audit files to get all the records for a problem.

HP-UX IPSec opens a new audit file when the current file will exceed the maximum audit

file size. The default maximum audit file size is 100 Kbytes. You can change the maximum

audit file size using the ipsec_admin -m[axsize] max_audit_file_size command.

If you can reproduce the problem, set the audit level to informative or debug , and set

the maximum audit file size to a large value, such as 99,999 kilobytes. For example, you can

enter the following commands before reproducing the problem:

ipsec_admin -maxsize 99999

ipsec_admin -auditlvl informative

• Output from the ipsec_policy command. Specify as many parameters as you can (source

IP address, source port, destination IP address, destination port, protocol).

• If the problem may be caused by the transport or application layer, enable layer four tracing

(ipsec_admin -traceon ), recreate the problem, and then disable tracing (ipsec_admin

-traceoff ). Trace output will be sent to /var/admin/ipsec/nettl.TRC0 and /var/

admin/ipsec/nettl.TRC , if nettl tracing is not already enabled and directed to another

file set.

NOTE: IP and ICMP tracing are still available when IPsec is running. Packets secured with

AH are still in clear text and the packet contents are still visible through a nettl trace. The

output format using netfmt can only be parsed for the IP header. The netfmt utility

displays any data following the IP header as hexadecimal values.

• A formatted listing of the configuration database. Use the following command to get a listing:

ipsec_config show all

If you are using security certificates, include the contents of the /var/adm/ipsec/

certstore/ directory.

• If you are using security certificates, include the output from the following commands:

ipsec_config show mycert

ipsec_config show cacert

• The contents of the IP configuration file:

/etc/rc.config.d/netconf

• If the problem is reproducible, re-create it with the audit level set to informative.

• Output from the following ndd commands:

ndd -get /dev/ip ip_ipsec_polist

ndd -get /dev/ip ip_ipsec_salist

ndd -get /dev/ip ip_ipsec_status

Reporting Problems 151