HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

• “Security Policy Database Limit Exceeded (Kernel Policy Cache Threshold reached

or Kernel Policy Cache Threshold exceeded ) ” (page 137)

• “ ipsec_report –sa display of the phase2 associations will not reflect the key length of AES

transform combination” (page 138)

HP-UX IPSec Incorrectly Passes Packets

Problem

IPsec is incorrectly allowing packets to pass in clear text instead of authenticating, encrypting, or

discarding the packets.

Symptoms

No error message or interruptions to user service, but no SAs are established, or IPsec is passing

packets that should be discarded to upper layers.

Solution

Run the following commands:

ipsec_admin -status (verify that HP-UX IPSec is started)

ipsec_report -sa ipsec (check for IPsec SAs)

ipsec_policy (determine the policy being used)

ipsec_report -cache (check the cached policy decisions)

ipsec_report -host (check for active host IPsec policies)

ipsec_report -bypass (verify that the local address is not in the bypass list)

Check the configuration file for incorrect addresses, order, or other incorrect information. Check

if the host policy has the FALLBACK_TO_CLEAR flag set.

If HP-UX IPSec is misconfigured to pass packets that it should authenticate or encrypt, there will be

no obvious external symptoms. Check if HP-UX IPSec actually established SAs and is

encrypting/authenticating the packets. Check for IPsec SAs using the following commands:

ipsec_report -sa ipsec

ipsec_report -host

If there are no SAs for the IP packets that you expect and no user error, HP-UX IPSec is probably

misconfigured and passing packets it should not. Check to see which IPsec policy is being used

by running ipsec_policy, or by executing the ipsec_report -cache and ipsec_report

-host commands.

Verify that the local IPv4 address is not in the bypass list (ipsec_report -bypass ).

HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets

Problem

IPsec is attempting to encrypt or authenticate (apply a transform) packets that should not be

encrypted or authenticated.

Symptoms

Link errors (unable to connect or connection timeouts) on traffic that should not be

encrypted/authenticated.

Solution

Run the following commands:

Troubleshooting Scenarios 129