IKE/4/IKE_IPSEC_TUN_ESTABLISH_FAIL: An IPsec tunnel failed to be established. (PeerIp=[PeerIp], Port=[PortNum], VrfName=[VrfIndex], Reason=[Reason])
In VS mode, this log is supported only by the admin VS.
| Parameter Name | Parameter Meaning |
|---|---|
|
PeerIp |
IP address of a peer |
|
PortNum |
Interface index |
|
VrfIndex |
VPN instance name |
|
Reason |
Failure cause |
Cause 1: The socket failed to receive data.
Cause 2: The socket failed to send data.
Cause 3: The IKE proposals do not match.
Cause 4: The IPSec proposals do not match.
Cause 5: The ACL does not match.
Cause 6: No key is configured for the IKE peer.
Cause 7: No certificate or key is imported.
Cause 8: Failed to construct the local ID. The pre-shared key mode supports only the ID type of the IP address mode.
Cause 9: The ID does not match.
Cause 10: The number of PAF files exceeded the upper limit.
Cause 11: Authentication failed. Check the key or certificate.
Cause 12: Whitelist verification failed.
Cause 13: The CRL did not exist.
Cause 14: Certificate verification failed.
Cause 15: The payload length was incorrect.
Cause 16: The payload was malformed.
Cause 17: Retransmission of the first packet in main mode timed out, but internal processing was normal.
Cause 18: The retransmission of the second packet in main mode timed out, but the internal processing was normal.
Cause 19: The retransmission of the third packet in main mode timed out, but the internal processing was normal.
Cause 20: Retransmission of the fourth packet in main mode timed out, but internal processing was normal.
Cause 21: Retransmission of the fifth packet in main mode timed out, but internal processing was normal.
Cause 22: Retransmission of the sixth packet in main mode timed out, but internal processing was normal.
Cause 23: Retransmission of the first packet in fast mode timed out, but internal processing was normal.
Cause 24: Retransmission of the second packet in fast mode timed out, but internal processing was normal.
Cause 25: Retransmission of the third packet in fast mode timed out, but internal processing was normal.
Cause 26: Retransmission of the initial request packet timed out, but internal processing was normal.
Cause 27: Retransmission of the initial request response packet timed out, but internal processing was normal.
Cause 28: Retransmission of the authentication request packet timed out, but internal processing was normal.
Cause 29: Retransmission of the authentication response packet timed out, but internal processing was normal.
Cause 30: Retransmission of the Child request packet timed out, but internal processing was normal.
Cause 31: Retransmission of the Child request response packet timed out, but internal processing was normal.
Cause 32: IGMPv2 received a Notification packet with a mismatched TS.
Cause 33: V2 received Notification packets, and Critical Payload was not supported.
Cause 34: IGMPv2 received Notification packets, and the SPI was invalid.
Cause 35: IGMPv2 received a Notification message, and the version number of the main mode was invalid.
Cause 36: IGMPv2 received a Notification message, and the Exchange type was invalid.
Cause 37: IGMPv2 received a Notification message with an invalid message ID.
Cause 38: IGMPv2 received a Notification message with an invalid protocol ID.
Cause 39: IGMPv2 received a Notification message, but no proposal was selected.
Cause 40: V2 received a Notification message, and the payload was malformed.
Cause 41: IGMPv2 received a Notification message, and the KE was invalid.
Cause 42: V2 received Notification packets and authentication failed.
Cause 43: The address of the encrypted stream conflicts with an existing one.
An internal error occurs when the socket receives packets. Contact Huawei technical support personnel.
An internal error occurs when the socket sends packets. Contact Huawei technical support personnel.
1. Run the display ike proposal command to check IKE proposal information. Ensure that the encryption algorithm, authentication method, authentication algorithm, and DH group ID on both ends of the IPSec tunnel match.
2. If they do not match, enter the corresponding IKE proposal view and configure a matching IKE proposal.
1. Run the display ipsec proposal command to check IPSec proposal information. Ensure that the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm on both ends of the IPSec tunnel match.
2. If they do not match, enter the corresponding IPSec policy view and configure a matching IPSec proposal.
1. Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to check the security data flow parameter in the corresponding IPsec policy to obtain the configured ACL name.
2. Run the display acl { acl-number | name acl-name | all } command to check the filtering conditions of the corresponding ACL and ensure that the filtering conditions used by the devices at both ends of the IPSec tunnel match.
3. If they do not match, create a matching ACL rule, enter the corresponding IPSec policy view, and configure a matching ACL rule.
1. Run the display ike peer [ name | brief ] command to check the IKE peer configuration. Ensure that a key has been configured for the IKE peer.
2. If no key is configured, enter the corresponding IKE peer view and configure a valid key.
1. Run the display ike peer [ name | brief ] command to check the configuration of the IKE peer. Ensure that the certificate or key has been imported.
2. If the certificate or key is not configured, enter the corresponding IKE peer view and import a valid certificate or key.
1. Run the display ike peer [ name | brief ] command to check whether the ID type of the IKE peer is ip.
2. If the ID type is not set to ip, enter the corresponding IKE peer view and set the ID type to ip.
1. Run the display ike peer [ name | brief ] command to check the IKE peer configuration. Ensure that the IDs of the devices at both ends of the IPSec tunnel are the same.
2. If the configurations do not match, enter the corresponding IKE peer view and configure the matching ID.
Contact technical support.
1. Run the display ike peer [ name | brief ] command to check the configuration of the IKE peer. Ensure that the key and certificate match.
2. If they do not match, enter the corresponding IKE peer view and configure the matching certificate or key.
1. Run the display pki whitelist command to check whether the PKI whitelist imported to the device is correct.
2. If the data is incorrect, set the correct whitelist data.
1. Run the display pki ca_list command to check whether the CA certificate and CRL imported to the memory exist.
2. If the CRL does not exist, reconfigure the CRL.
1. Obtain a valid certificate.
1. An invalid packet is received. Contact the technical support personnel.
1. If malformed packets are received, contact Huawei technical support personnel.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check whether the link status is normal. If the link status is normal, contact technical support engineers.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check the peer device based on the error type.
1. Check whether the flows protected by the peer device overlap.