HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

NOTE: The audit file on the initiator may also show an message with the text Event:

phase2 negotiation failed due to time up waiting for phase1. This

message does not always indicate that the phase 1 negotiation was successful and that the

IKE daemon started a phase 2 negotiation (IPsec SA negotiation). The IKE daemon starts a

timer for the completion of the phase 2 negotiation before it starts the phase 2 negotiation,

independent of the status of the phase 1 negotiation.

IKEv2 SA Negotiation Fails or Times Out (retransmission count exceeded

the limit)

Problem

IKEv2 IKE negotiation fails or times out.

Symptoms

The output from the ipsec_report -sa ike command does not show the IKEv2 SA. The

audit file on the initiator shows an error message similar to the following:

Msg: 240 From: IKMPD Lvl: ERROR Date: Tue Mar 3 21:40:14 2009

Event: local ? - remote ?:retransmission count exceeded the limit

These symptoms are also present if the first IPsec SA negotiation fails for a given IKEv2 SA. See

“Determining if the IKEv2 SA Negotiation Succeeded” (page 154) for information on determining

if the IKEv2 SA was established.

Solution

• Use the ipsec_report -audit command to view the audit file entries. If the IKEv2 SA

negotiation fails, the message retransmission count exceeded the limit can

indicate either:

— A connectivity problem with the remote system.

— A mismatch in IKE configuration. HP-UX and other IKE responders will not respond

if the initiator sends an unacceptable SA proposal. In this case, the initiator audit file

shows the retransmission count exceeded the limit error message.

Check that the responder is receiving the IKE messages from the initiator. If the audit level

is set to informative on the responder, the audit file will contain a message similar to the

following if it is receiving the initial IKE negotiation message:

Msg: 145 From: IKMPD Lvl: INFORMATIVE Date: Tue Feb 24 22:39:59 2009

Event: found ikev2 policy: default

The log file on the responder may also show an error message that indicates a mismatch in

the IKEv2 SA proposals, such as the following:

Msg: 123 From: IKMPD Lvl: ERROR Date: Mon Feb 23 21:36:54 2009

Event: local 10.2.2.2/500 - remote 10.1.1.1/500:no proposal chosen

• Use the ipsec_policy utility to determine the IKE policy being used, as described in

“Using ipsec_policy ” (page 146). Verify that values for following IKE parameters match

the values on the remote system:

— Diffie-Hellman group

— Local and remote authentication method

— hash algorithm

— encryption algorithm

— pseudo-random function

— The preshared key value, if you are using preshared key authentication. On HP-UX

systems, this is configured using the ipsec_config add auth command. HP-UX

156 Troubleshooting HP-UX IPSec