< Home

display ike error-info

Function

The display ike error-info command displays information about IPSec tunnel negotiation failures using IKE.

Format

display ike error-info [ verbose ] [ peer remote-address ]

Parameters

Parameter Description Value

verbose

Displays details about IPSec tunnel negotiation failures using IKE.

-

peer remote-address

Displays information about IPSec tunnel negotiation failures using IKE with a specified remote IP address.

The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The command output contains information of the latest 200 IPSec tunnel negotiation failures using IKE.

Example

# Display information about IPSec tunnel negotiation failures using IKE.

<HUAWEI> display ike error-info

  current info Num :2
  Ike error information:
  current ike Error-info number :2
  -----------------------------------------------------------------------------
  peer       port      error-reason                version     error-time
  -----------------------------------------------------------------------------
  10.1.1.1  500       phase1 proposal mismatch     v1          2013-08-26 13:42:37
  10.1.1.1  500       phase1 proposal mismatch     v1          2013-08-26 13:08:45
  -----------------------------------------------------------------------------

# Display details about IPSec tunnel negotiation failures using IKE.

<HUAWEI> display ike error-info verbose 

  current info Num :1
  Ike error information:
  current ike Error-info number :1
--------------------------------------------------------------------------
Peer       : 10.1.1.1
Port       : 500
version    : v1
Reason     : phase1 proposal mismatch
Detail     : phase1 proposal mismatch
Error-time : 2013-08-26 12:02:37
--------------------------------------------------------------------------
Table 1 Description of the display ike error-info command output

Item

Description

current info Num

Current information number.

Ike error information

Information about IPSec tunnel negotiation failures using IKE.

current ike Error-info number

Number of IPSec tunnel negotiation failures using IKE.

peer or Peer

Remote IP address.

port or Port

Peer UDP port number.

error-reason or Reason

Causes for IPSec tunnel negotiation failures using IKE:

  • phase1 proposal mismatch: IKE proposal parameters of the two ends do not match.
  • phase2 proposal or pfs mismatch: IPSec proposal parameters, pfs algorithm, or security ACL of the two ends do not match.
  • responder dh mismatch: The DH algorithm of the responder does not match.
  • initiator dh mismatch: The DH algorithm of the initiator does not match.
  • encapsulation mode mismatch: The encapsulation mode does not match.
  • flow or peer mismatch: The security ACL or IKE peer address of the two ends does not match.
  • version mismatch: The IKE version number of the two ends does not match.
  • peer address mismatch: The IKE peer address of the two ends does not match.
  • config ID mismatch: The IKE peer of the specified ID is not found.
  • exchange mode mismatch: The negotiation mode of the two ends does not match.
  • authentication fail: Identity authentication fails.
  • construct local ID fail: The local ID fails to be constructed.
  • rekey no find old sa: The old SA is not found during re-negotiation.
  • rekey fail: The old SA is going offline during re-negotiation.
  • first packet limited: The rate of the first packet is limited.
  • unsupported version: The IKE version number is not supported.
  • malformed message: Malformed message.
  • malformed payload: Malformed payload.
  • critical drop: Unidentified critical payload.
  • cookie mismatch: Cookie mismatch.
  • invalid cookie: Invalid cookie.
  • invalid length: Invalid packet length.
  • unknown exchange type: Unknown negotiation mode.
  • uncritical drop: Unidentified non-critical payload.
  • local address mismatch: The local IP address in IKE negotiation and interface IP address do not match.
  • dynamic peers number reaches limitation: The number of IKE peers reaches the upper limit.
  • ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit.
  • no policy applied on interface: No policy is applied to an interface.
  • nat detection fail: NAT detailed failed.
  • fragment packet limit: Fragment packets exceed the limit.
  • fragment packet reassemble timeout: Fragment packet reassembly times out.

version

IKE version.

Error-time/error-time

Time of IPSec tunnel negotiation failures using IKE.

Detail

Details about IPSec tunnel negotiation failures using IKE.

  • phase1 proposal mismatch: IKE proposal parameters of the two ends do not match.
  • phase2 proposal or pfs mismatch: IPSec proposal parameters, pfs algorithm, or security ACL of the two ends do not match.
  • responder dh mismatch: The DH algorithm of the responder does not match.
  • initiator dh mismatch: The DH algorithm of the initiator does not match.
  • encapsulation mode mismatch: The encapsulation mode does not match.
  • flow or peer mismatch: The security ACL or IKE peer address of the two ends does not match.
  • version mismatch: The IKE version number of the two ends does not match.
  • peer address mismatch: The IKE peer address of the two ends does not match.
  • config ID mismatch: The IKE peer of the specified ID is not found.
  • exchange mode mismatch: The negotiation mode of the two ends does not match.
  • authentication fail: Identity authentication fails.
  • construct local ID fail: The local ID fails to be constructed.
  • rekey no find old sa: The old SA is not found during re-negotiation.
  • rekey fail: The old SA is going offline during re-negotiation.
  • first packet limited: The rate of the first packet is limited.
  • unsupported version: The IKE version number is not supported.
  • malformed message: Malformed message.
  • malformed payload: Malformed payload.
  • critical drop: Unidentified critical payload.
  • cookie mismatch: Cookie mismatch.
  • invalid cookie: Invalid cookie.
  • invalid length: Invalid packet length.
  • unknown exchange type: Unknown negotiation mode.
  • uncritical drop: Unidentified non-critical payload.
  • local address mismatch: The local IP address in IKE negotiation and interface IP address do not match.
  • dynamic peers number reaches limitation: The number of IKE peers reaches the upper limit.
  • ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit.
  • no policy applied on interface: No policy is applied to an interface.
  • nat detection fail: NAT detailed failed.
  • fragment packet limit: Fragment packets exceed the limit.
  • fragment packet reassemble timeout: Fragment packet reassembly times out.
  • receive phase1 proposal mismatch: The received IKE proposal parameters do not match the local parameters.
  • receive phase2 proposal mismatch: The received IPSec proposal parameters do not match the local parameters.
  • phase2 proposal mismatch: IPSec proposal parameters on both ends do not match.
  • receive flow or peer mismatch: The received security ACL or IKE peer address does not match the local one.
  • (peer local or tunnel local or interface) address mismatch: The peer's local IP address, local tunnel IP address or interface IP address does not match the local one.
  • remote auth method mismatch: The peer authentication method does not match.
  • proc auth payload fail(pre-share-key): Failed to process the authentication payload during pre-shared key authentication.
  • recv peer auth fail notification: An authentication failure notification from the peer end is received.
  • recv peer auth fail notification(pre-share-key): An authentication failure notification from the peer end is received during pre-shared key authentication.
  • proc and auth ID payload fail(pre-share-key): The peer ID fails to be authenticated during pre-shared key authentication.
Parent Topic: IPSec Configuration Commands (IPSec Efficient VPN)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >