HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

• Output from the ipsec_policy command. Specify as many parameters as you can (source

IP address, source port, destination IP address, destination port, protocol).

• If the problem may be caused by the transport or application layer, enable layer four tracing

(ipsec_admin -traceon ), recreate the problem, and then disable tracing (ipsec_admin

-traceoff ). Trace output will be sent to /var/admin/ipsec/nettl.TRC0 and /var/

admin/ipsec/nettl.TRC , if nettl tracing is not already enabled and directed to another

file set.

NOTE: IP and ICMP tracing are still available when IPsec is running. Packets secured with

AH are still in clear text and the packet contents are still visible through a nettl trace. The

output format using netfmt can only be parsed for the IP header. The netfmt utility displays

any data following the IP header as hexadecimal values.

• A formatted listing of the configuration database. Use the following command to get a listing:

ipsec_config show all

If you are using security certificates, include the contents of the /var/adm/ipsec/

certstore/ directory.

• If you are using security certificates, include the output from the following commands:

ipsec_config show mycert

ipsec_config show cacert

• The contents of the IP configuration file:

/etc/rc.config.d/netconf

• If the problem is reproducible, re-create it with the audit level set to informative.

• Output from the following ndd commands:

ndd -get /dev/ip ip_ipsec_polist

ndd -get /dev/ip ip_ipsec_salist

ndd -get /dev/ip ip_ipsec_status

Troubleshooting Scenarios

This section contains information about the following common troubleshooting scenarios, including

their symptoms and resolutions:

• “HP-UX IPSec Incorrectly Passes Packets” (page 129)

• “HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets” (page 129)

• “HP-UX IPSec Attempts to Encrypt/Authenticate and Fails” (page 130)

• “IKEv1 SA Negotiation Fails or Times Out (phase1 negotiation failed)” (page 131)

• “IKEv2 SA Negotiation Fails or Times Out (retransmission count exceeded the

limit)” (page 132)

• “IPsec SA Negotiation Fails” (page 133)

• “IKE Primary Authentication Fails with Certificates” (page 135)

• “HP-UX Will Not Start (ipsec_admin -start Fails)” (page 136)

• “Corrupt or Missing HP-UX IPSec Configuration Database” (page 136)

• “Autoboot is Not Working Properly” (page 137)

128 Troubleshooting HP-UX IPSec