< Home

IPSEC-VPN_1.3.6.1.4.1.2011.6.122.26.6.14 hwIPSecNegoFail

Description

IPSEC-VPN/4/IPSECNEGOFAIL: OID [OID] IPSec tunnel negotiation fails. (Ifindex=[Ifindex], SeqNum=[SeqNum], Reason=[Reason], ReasonCode=[ReasonCode], PeerAddress=[PeerAddress], PeerPort=[PeerPort], VsysName=[vsys-name], InterfaceName=[InterfaceName], ConnID=[ConnID])

IPSec tunnel negotiation fails.

Attribute

Alarm ID Alarm Severity Alarm Type

1.3.6.1.4.1.2011.6.122.26.6.14

Warning

Communications alarm

Parameters

Name Meaning

OID

Indicates the MIB object ID of the alarm.

Ifindex

Indicates the index of the interface on the IPSec tunnel.

SeqNum

Indicates the sequence number of the IPSec policy.

Reason

Indicates the reason of IPSec tunnel negotiation failure.

ReasonCode

Indicates the reason code of IPSec tunnel negotiation failure.

  • 1: phase1 proposal mismatch
  • 2: phase2 proposal or pfs mismatch
  • 3: encapsulation mode mismatch
  • 4: flow or peer mismatch
  • 5: version mismatch
  • 6: responder dh mismatch
  • 7: initiator dh mismatch
  • 12: peer address mismatch
  • 13: config ID mismatch
  • 14: construct local ID fail
  • 15: authentication fail
  • 16: rekey no find old sa
  • 17: rekey fail
  • 18: first packet limited
  • 21: invalid cookie
  • 24: invalid length
  • 26: unsupported version
  • 28: malformed payload
  • 30: malformed message
  • 31: cookie mismatch
  • 32: exchange mode mismatch
  • 33: unknown exchange type
  • 34: critical drop
  • 35: uncritical drop
  • 39: local address mismatch
  • 40: nat detection fail
  • 41: ipsec tunnel number reaches limitation
  • 42: dynamic peers number reaches limitation
  • 49: no policy applied on interface
  • 50: fragment packet limit
  • 51: fragment packet reassemble timeout

PeerAddress

Indicates the remote IP address.

PeerPort

Indicates the remote UDP port number.

vsys-name

Indicates the name of the virtual system to which the IPSec policy belongs.

NOTE:

The device does not support this parameter.

InterfaceName

Indicates the interface name.

ConnID

Indicates the connection ID of an SA.

Impact on the System

Creating an IPSec tunnel will fail.

Possible Causes

The possible causes are as follows:

  • phase1 proposal mismatch: IKE proposal parameters of the two ends do not match.
  • phase2 proposal or pfs mismatch: IPSec proposal parameters, pfs algorithm, or security ACL of the two ends do not match.
  • responder dh mismatch: The DH algorithm of the responder does not match.
  • initiator dh mismatch: The DH algorithm of the initiator does not match.
  • encapsulation mode mismatch: The encapsulation mode does not match.
  • flow or peer mismatch: The security ACL or IKE peer address of the two ends does not match.
  • version mismatch: The IKE version number of the two ends does not match.
  • peer address mismatch: The IKE peer address of the two ends does not match.
  • config ID mismatch: The IKE peer of the specified ID is not found.
  • exchange mode mismatch: The negotiation mode of the two ends does not match.
  • authentication fail: Identity authentication fails.
  • construct local ID fail: The local ID fails to be constructed.
  • rekey no find old sa: The old SA is not found during re-negotiation.
  • rekey fail: The old SA is going offline during re-negotiation.
  • first packet limited: The rate of the first packet is limited.
  • unsupported version: The IKE version number is not supported.
  • malformed message: Malformed message.
  • malformed payload: Malformed payload.
  • critical drop: Unidentified critical payload.
  • cookie mismatch: Cookie mismatch.
  • invalid cookie: Invalid cookie.
  • invalid length: Invalid packet length.
  • unknown exchange type: Unknown negotiation mode.
  • uncritical drop: Unidentified non-critical payload.
  • local address mismatch: The local IP address in IKE negotiation and interface IP address do not match.
  • dynamic peers number reaches limitation: The number of IKE peers reaches the upper limit.
  • ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit.
  • no policy applied on interface: No policy is applied to an interface.
  • nat detection fail: NAT detailed failed.
  • fragment packet limit: Fragment packets exceed the limit.
  • fragment packet reassemble timeout: Fragment packet reassembly times out.

Procedure

  • Cause: phase1 proposal mismatch

    Check IKE proposal parameters at both ends of the IPSec tunnel and ensure that the parameters are consistent at both ends.

  • Cause: phase2 proposal or pfs mismatch

    Check IPSec proposal parameters or PFS algorithms at both ends of the IPSec tunnel and ensure that the parameters or algorithms are consistent at both ends.

  • Cause: responder dh mismatch, initiator dh mismatch

    Check DH algorithms at both ends of the IPSec tunnel and ensure that the algorithms are consistent at both ends.

  • Cause: encapsulation mode mismatch

    Check encapsulation modes at both ends of the IPSec tunnel and ensure that the encapsulation modes are consistent at both ends.

  • Cause: peer address mismatch

    Check the IP addresses of IKE peers at both ends and ensure that the IP addresses match each other.

  • Cause: config ID mismatch

    Check identity authentication parameters, such as the ID type and ID value, and ensure that the parameters match each other.

  • Cause: authentication fail

    Check IKE proposal parameters or IKE peer parameters at both ends of the IPSec tunnel and ensure that the parameters are consistent at both ends.

  • Cause: exchange mode mismatch

    Check the IKEv1 phase 1 negotiation modes at both ends and ensure that the negotiation modes are consistent at both ends.

  • Cause: route limit

    Replace the device with the one that has a higher route specification and plan the network properly.

  • Cause: local address mismatch

    Check the local IP address and interface IP address used in IKE negotiation and ensure that the IP addresses are consistent.

  • Cause: ipsec tunnel number reaches limitation

    Delete unnecessary IPSec tunnels or expand the capacity.

  • Cause: dynamic peers number reaches limitation

    Expand the capacity and plan the network properly.

  • Cause: no policy applied on interface

    Apply the required IPSec policy to the interface.

  • Cause: fragment packet limit

    The number of received fragmented packets exceeds the limit. Adjust the MTU of the peer device correctly.

  • Cause: fragment packet reassemble timeout

    Ensure that the links at both ends are normal and the device status is normal.

  • If the fault persists, collect related information and contact technical support personnel.
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >