HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

Troubleshooting Scenarios

This section contains information about the following common troubleshooting scenarios,

including their symptoms and resolutions:

• “HP-UX IPSec Incorrectly Passes Packets” (page 152)

• “HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets” (page 153)

• “HP-UX IPSec Attempts to Encrypt/Authenticate and Fails” (page 153)

• “IKEv1 SA Negotiation Fails or Times Out (phase1 negotiation failed)” (page 154)

• “IKEv2 SA Negotiation Fails or Times Out (retransmission count exceeded the

limit)” (page 156)

• “IPsec SA Negotiation Fails” (page 157)

• “IKE Primary Authentication Fails with Certificates” (page 158)

• “HP-UX Will Not Start (ipsec_admin -start Fails)” (page 159)

• “Corrupt or Missing HP-UX IPSec Configuration Database” (page 160)

• “Autoboot is Not Working Properly” (page 160)

• “Security Policy Database Limit Exceeded (Kernel Policy Cache Threshold reached

or Kernel Policy Cache Threshold exceeded ) ” (page 161)

HP-UX IPSec Incorrectly Passes Packets

Problem

IPsec is incorrectly allowing packets to pass in clear text instead of authenticating, encrypting,

or discarding the packets.

Symptoms

No error message or interruptions to user service, but no SAs are established, or IPsec is passing

packets that should be discarded to upper layers.

Solution

Run the following commands:

ipsec_admin -status (verify that HP-UX IPSec is started)

ipsec_report -sa ipsec (check for IPsec SAs)

ipsec_policy (determine the policy being used)

ipsec_report -cache (check the cached policy decisions)

ipsec_report -host (check for active host IPsec policies)

ipsec_report -bypass (verify that the local address is not in the bypass list)

Check the configuration file for incorrect addresses, order, or other incorrect information. Check

if the host policy has the FALLBACK_TO_CLEAR flag set.

If HP-UX IPSec is misconfigured to pass packets that it should authenticate or encrypt, there will

be no obvious external symptoms. Check if HP-UX IPSec actually established SAs and is

encrypting/authenticating the packets. Check for IPsec SAs using the following commands:

ipsec_report -sa ipsec

ipsec_report -host

If there are no SAs for the IP packets that you expect and no user error, HP-UX IPSec is probably

misconfigured and passing packets it should not. Check to see which IPsec policy is being used

by running ipsec_policy, or by executing the ipsec_report -cache and ipsec_report

-host commands.

Verify that the local IPv4 address is not in the bypass list (ipsec_report -bypass ).

152 Troubleshooting HP-UX IPSec