HP-UX IPSec Version A.03.00 Administrator's Guide

Security Policy Database Limit Exceeded (Kernel Policy Cache Threshold

reached or Kernel Policy Cache Threshold exceeded )

Problem

The Security Policy Database (SPD) is near or exceeding the soft or hard size limit.

Symptoms

The SPD is the HP-UX IPSec runtime policy database, with cached policy decisions for packet

descriptors (five-tuples consisting of exact, non-wildcard source IP address, destination IP address,

protocol, source port, and destination port).

When the size of the SPD exceeds the soft limit, HP-UX IPSec logs an alert message to the system

console and the audit file, and logs an additional alert message for each 1000 SPD entries added.

You will see log messages are similar to the following:

Msg: 20 From: SECPOLICYD Lvl: ALERT Date: Tue Apr 20 11:30:39 2004

Event: Kernel Policy Cache Threshold reached nnnn

records.

where nnnn is the soft limit.

When the hard limit is exceeded, HP-UX IPSec stops adding new entries to the SPD and stops

transmitting and receiving packets that do not match existing entries in the SPD. You will see

log messages are similar to the following:

Msg: 55 From: SECPOLICYD Lvl: ALERT Date: Tue Apr 20 12:14:42 2004

Event: Kernel Policy Cache Threshold exceeded nnnn

records.

where nnnn is the hard limit.

Solution

Use the following ipsec_config commands to set and configure new SPD soft and hard limits:

ipsec_config add startup -spd_soft spd_soft_limit

ipsec_config add startup -spd_hard spd_hard_limit

The spd_soft_limit and spd_hard_limit are specified in units of 1000 entries. Refer to the

ipsec_config(1M) manpage for more information.

You can also use the ipsec_admin -start -spd_soft spd_soft_limit and

ipsec_admin -start -spd_hard spd_hard_limit commands to set new SPD soft and

hard limits at system startup time. Refer to the ipsec_admin(1M) manpage for more information.

Troubleshooting Scenarios 161