HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

111

112

113

114

115

116

117

118

119

120

7 Troubleshooting HP-UX IPSec

This chapter describes procedures for troubleshooting HP-UX IPSec software.

It contains the following sections:

• “Troubleshooting Utilities Overview” (page 119)

• “Troubleshooting Procedures” (page 122)

• “Reporting Problems” (page 127)

• “Troubleshooting Scenarios” (page 128). This section describes the following problems and

how to resolve them:

◦ “HP-UX IPSec Incorrectly Passes Packets” (page 129)

◦ “HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets” (page 129)

◦ “HP-UX IPSec Attempts to Encrypt/Authenticate and Fails” (page 130)

◦ “IKEv1 SA Negotiation Fails or Times Out (phase1 negotiation failed)” (page 131)

◦ “IKEv2 SA Negotiation Fails or Times Out (retransmission count exceeded the

limit)” (page 132)

◦ “IPsec SA Negotiation Fails” (page 133)

◦ “IKE Primary Authentication Fails with Certificates” (page 135)

◦ “HP-UX Will Not Start (ipsec_admin -start Fails)” (page 136)

◦ “Corrupt or Missing HP-UX IPSec Configuration Database” (page 136)

◦ “Autoboot is Not Working Properly” (page 137)

◦ “Security Policy Database Limit Exceeded (Kernel Policy Cache Threshold

reached or Kernel Policy Cache Threshold exceeded ) ” (page 137)

The information in “HP-UX IPSec Operation” (page 146) can also help you understand and

troubleshoot HP-UX IPSec.

Troubleshooting Utilities Overview

HP-UX IPSec provides three troubleshooting utilities:

ipsec_admin Returns status information and allows the administrator to change the audit

level, audit file directory, audit file size, and enable or disable level 4 (TCP,

UDP, IGMP) data tracing.

ipsec_report Reports HP-UX IPSec operating parameters and displays the contents of audit

files. The output can be displayed to stdout or sent to a file.

ipsec_policy Allows the administrator to determine which IPsec policy will be used for a

given packet.

See the online manpages for above utilities for more information on how to use these utilities and

how to interpret the output from them. The sections that follow describe common tasks and the

commands to perform them:

• “Getting General Information” (page 120)

• “Getting SA Information” (page 120)

• “Getting Policy Information” (page 120)

Troubleshooting Utilities Overview 119