display ike history

Function

The display ike error history command displays the IKE SA Negotiation failure errors.

The display ike offline history command displays the IKE SA Negotiation offline information.

This command is supported only on the NetEngine 8000 F1A.

Format

display ike { error | offline } history [ peer-ip peerip [ vpn-instance-name vpn-instance-name ] [ port portnum ] ] [ slot slotid ]

Parameters

Parameter Description Value
peer-ip peerip

Specifies the peer IP address.

The value is in dotted decimal notation.
vpn-instance-name vpn-instance-name

Specifies the name of the VPN instance.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string.
port portnum

Specifies the port number.

The value is an integer in the range of 0 to 65535.
slot slotid

Specifies the slot number.

-

Views

All views

Default Level

1: Monitoring level

Task Name and Operations

Task Name Operations
ike read

Usage Guidelines

User can use display ike error history command to display IKE SA Negotiation failure errors for all Remote Peers or for specified remote peer.

User can use display ike offline history command to display IKE SA Negotiation offlines for all Remote Peers or for specified remote peer.

Example

The actual command output varies according to the device. The command output here is only an example.

# Display the IKE SA Negotiation offlines for all remote peers.
<HUAWEI> display ike offline history
IKE Offline Information for Slot : 1
Current Record Number : 1
----------------------------------------------------------------------------------------------------
PEER                  VPN             TIME                      REASON                              
----------------------------------------------------------------------------------------------------
192.168.1.2:500       -               2016-07-11 09:11:20       Receive phase1 delete info          
192.168.1.2:500       -               2016-07-11 09:11:20       Receive phase2 delete info
# Display the IKE SA Negotiation offlines for all remote peers.
<HUAWEI> display ike error history
IKE Error Information for Slot : 1
Current Record Number : 2
----------------------------------------------------------------------------------------------------
PEER                  VPN             TIME                      REASON                              
----------------------------------------------------------------------------------------------------
192.168.1.2:500       -               2016-07-11 09:11:20       Receive phase1 delete info          
192.168.1.2:500       -               2016-07-11 09:11:20       Receive phase2 delete info     
192.168.1.2:500       -               2016-07-11 09:11:20       Critical Payload : Dropped(Payload=35)
192.168.1.2:500       -               2016-07-11 09:11:20       Unknown Exchange Type(ExchType=88)
192.168.1.2:500       -               2016-07-11 09:11:20       Exchange Type Mismatch(ExchType=100)
Table 1 Description of the display ike history command output
Item Description
IKE Error Information for Slot

Indicates the slot ID of the IKE error.
IKE Offline Information for Slot

Indicates the slot ID of the IKE offline.
Current Record Number

Current Record Number.
PEER

IP address and port number of IKE peer.
VPN

VPN Instance name of IKE peer.
TIME

Indicates the time when the error or offline occurred.
REASON

Indicates the reason of an error:

  • Unknown Error.
  • Phase1 Proposal Mismatch.
  • Phase2 Proposal Mismatch.
  • Acl Flow Mismatch.
  • Malformed Message.
  • Unsupported Version.
  • Construct Local ID Fail.
  • Peer ID Mismatch.
  • Peer IP Mismatch.
  • Authentication Fail.
  • Invalid Message Length.
  • Message-ID Unordered.
  • Short Packet.
  • Malformed Payload.
  • Cookie Mismatch.
  • Critical Payload : Dropped.
  • Invalid KE Payload.
  • Fail Send Packet :No Memory.
  • Fail Process Packet : No Memory.
  • Fail Integrity Check.
  • Cookie Request : Invalid Cookie.
  • Cookie Request : No Cookie.
  • Duplicate Payload.
  • PAF limited.
  • Rekey : old child not found.
  • Rekey : old child in close.
  • Retransmission Timeout(MM : P1).
  • Retransmission Timeout(MM : P2).
  • Retransmission Timeout(MM : P3).
  • Retransmission Timeout(MM : P4).
  • Retransmission Timeout(MM : P5).
  • Retransmission Timeout(MM : P6).
  • Retransmission Timeout(AM : P1).
  • Retransmission Timeout(AM : P2).
  • Retransmission Timeout(AM : P3).
  • Retransmission Timeout(QM : P1).
  • Retransmission Timeout(QM : P2).
  • Retransmission Timeout(QM : P3).
  • Retransmission Timeout(Init Req).
  • Retransmission Timeout(Init Res).
  • Retransmission Timeout(Auth Req).
  • Retransmission Timeout(Auth Res).
  • Retransmission Timeout(Child Req).
  • Retransmission Timeout(Child Res).
  • V2 Notify Unsupported Critical Payload.
  • V2 Notify Invalid IKE SPI.
  • V2 Notify Invalid Major Version.
  • V2 Notify Invalid Minor Version.
  • V2 Notify Invalid Syntax.
  • V2 Notify Invalid Message Id.
  • V2 Notify Invalid SPI.
  • V2 Notify No Proposal Chosen.
  • V2 Notify Invalid KE Payload.
  • V2 Notify Authentication Failed.
  • V2 Notify Single Pair Required.
  • V2 Notify No Additional SAs.
  • V2 Notify TS Unacceptable.
  • PKI Whitelist verificate failed.
  • Can not get crl.
  • Invalid Hash Information.
  • Unsupported Exchange Type.
  • Invalid ID Information.
  • Invalid Key Information.
  • Invalid Protocol Id.
  • Invalid Spi.
  • Doi Not Supported.
  • Invalid Transform Id.
  • Invalid Flags.
  • Attributes Not Supported.
  • Form payload failed.
  • Request DH failed.
  • Invalid Signature.
  • Certificate validation failed.
  • No Certificate Or Key.

-In the direction of receiving, Socket error.

-In the direction of sending, Socket error.

-No key was configured on the IKE peer.

-Only the ID in the format of IP address was supported.

-Invalid payload length.

-Invalid notify payload(16431).

-Asn1 decode fail.

-Asn1 encode fail.

-IKEV2 Backup Phase1 SA Encryption/Decryption Keys Failed.

-IKEV2 TdbEntry not found.

-IKEV2 Dyna TdbEntry not found.

-IKEV2 Not found IPSEC Policy.

-IKEV2 Inbound Tdb not found.

-IKEV2 backup Config IPSEC cryptomap failed.

-IKEV2 Backup IPSPolicy failed.

-IKEV2 Ph2SA: Processing of Backup message is Failed.

-IKEV1 Backup IPSec policy failed.

-IKEV1 Backup IKE proposal failed.

-IKEV1 Backup Phase1 SA Encryption/Decryption Keys Failed.

-IKEV1 Ph1SA:Processing of Backup message is Failed.

-IKEV1 TdbEntry not found.

-IKEV1 ISAKMP Dyna TdbEntry not found.

-IKEV1 Inbound Tdb not found.

-IKEV1 Not found IPSEC Policy.

-IKEV1 backup policy info failed for phase2 SA.

-IKEV1 backup policy para failed for phase2 SA.

-IKEV1 Backup IPSPolicy failed.

-IKEV1 Ph2SA: Processing of Backup message is Failed.

Indicates the reason of an offline:

  • Unknown Reason.
  • DPD timeout.
  • Receive phase1 delete info.
  • Receive phase2 delete info.
  • Reset phase1 by user.
  • Reset phase2 by user.
  • Config modify.
  • Phase1 hardware expire.
  • Phase2 hardware expire.
  • Re-auth timeout.
  • Acl range is conflicting with exist.
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >