HPE Community
Operating System - HP-UX
1834031 Members
2193 Online
110063 Solutions
New Discussion

IPSec Does not respond

 
Srinivas_3
Occasional Advisor

‎04-21-2002 10:24 PM

‎04-21-2002 10:24 PM

IPSec Does not respond

While the system is running, suddenly IPSec stops responding. So from one system we can not telnet to another system on IPSec encrypted port. IPSec audit log normally drops errors like!
Msg: 4 From: IKMPD Lvl: ERROR Date: Mon Jan 21 16:59:07 2002
Event: Error processing SA payload
Msg: 1 From: IKMPD Lvl: ERROR Date: Mon Jan 21 16:59:07 2002
Event: IPSEC_RULE request timeout, seq 202708
.......
.......

Is there any document where we can refer the meaning of these errors.
0 Kudos
Reply
6 REPLIES 6
Steven Sim Kok Leong
Honored Contributor

‎04-21-2002 10:37 PM

‎04-21-2002 10:37 PM

Re: IPSec Does not respond

Hi,

The negotiation and key exchange over IKE SA is via the ISAKMP protocol at service port 500. This is always performed before the IPSEC SA can be created and used.

From the error messages you got, I would guess that this IKE SA negotiation probably failed.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Clemens van Everdingen
Honored Contributor

‎04-21-2002 10:50 PM

‎04-21-2002 10:50 PM

Re: IPSec Does not respond

Hi,

Here is some documentation !

http://docs.hp.com/hpux/internet/index.html#IPSec/9000

http://docs.hp.com/hpux/pdf/J4255-90011.pdf

Regards,
C.
The computer is a great invention, there are as many mistakes as ever, but they are nobody's fault !
0 Kudos
Reply
Srinivas_3
Occasional Advisor

‎04-21-2002 10:50 PM

‎04-21-2002 10:50 PM

Re: IPSec Does not respond

What could be the reasons for the key negotiations to fail?
0 Kudos
Reply
Clemens van Everdingen
Honored Contributor

‎04-21-2002 10:53 PM

‎04-21-2002 10:53 PM

Re: IPSec Does not respond

Hi,

Did you use the ipsec_admin ???status
command to see if all processes are running ?

Should look like this:

# ipsec_admin - status



----------------- IPSec Status Report -----------------

secauditd program: Running and responding

secpolicyd program: Running and responding

ikmpd program: Running and responding

IPSec kernel: Up

IPSec Audit level: Error

IPSec Audit file: /var/adm/ipsec/auditTue-Jul-17-11-28-29-2001.log

Max Audit file size: 100 KBytes

IPSec Policy file: /var/adm/ipsec/policies.txt

Level 4 tracing: None

-------------- End of IPSec Status Report -------------


Possible a restart will solve the issue.

C.
The computer is a great invention, there are as many mistakes as ever, but they are nobody's fault !
0 Kudos
Reply
Srinivas_3
Occasional Advisor

‎04-21-2002 11:03 PM

‎04-21-2002 11:03 PM

Re: IPSec Does not respond

Restarting IPSec and flushing the SA and plicies etc.. are tried, but as it is on production systems, the web application keep failing because IPSec configured ports are not responding. So I want to know why this error comes frequently and what is the remedy.
0 Kudos
Reply
Clemens van Everdingen
Honored Contributor

‎04-21-2002 11:25 PM

‎04-21-2002 11:25 PM

Re: IPSec Does not respond

Hi,

You could turn tracing on to see what happens.

-----------------------------------------------
IPSec tracing


If the problem may be caused by the transport or application layer, enable layer four

tracing, recreate the problem, then disable tracing. Trace output will be sent to

/var/adm/ipsec/nettl.TRC0. You may trace TCP, UDP, IGMP or all. Typical netfmt

options can be used to format the output.



# ipsec_admin -traceon all

IPSEC_ADMIN: Please enter the IPSec password: ***************

IPSEC_ADMIN: WARNING-Enabling any Level 4 tracing (TCP, UDP, or IGMP) started

IPSEC_ADMIN: WARNING-by ipsec_admin. Ignore following nettl msg(s) if any.

IPSEC_ADMIN: Level 4 tracing successfully enabled for TCP, UDP, and IGMP.



# ipsec_admin -tf all

IPSEC_ADMIN: Please enter the IPSec password: ***************

IPSEC_ADMIN: WARNING-Disabling any Level 4 tracing (TCP, UDP, or IGMP) started

IPSEC_ADMIN: WARNING-by ipsec_admin. Ignore following nettl msg(s) if any.

IPSEC_ADMIN: Level 4 tracing successfully disabled for TCP, UDP, and IGMP.

C.
The computer is a great invention, there are as many mistakes as ever, but they are nobody's fault !
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.