No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Alarm Handling

AR100-S, AR110-S, AR120-S, AR150-S, AR160-S, AR200-S, AR1200-S, AR2200-S, and AR3200-S V200R009

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSEC_1.3.6.1.4.1.2011.6.122.26.6.14 hwIPSecNegoFail

IPSEC_1.3.6.1.4.1.2011.6.122.26.6.14 hwIPSecNegoFail

Description

IPSEC/4/IPSECNEGOFAIL: OID [OID] IPSec tunnel negotiation fails. (Ifindex=[Ifindex], SeqNum=[SeqNum], Reason=[Reason], ReasonCode=[ReasonCode], PeerAddress=[PeerAddress], PeerPort=[PeerPort], VsysName=[vsys-name], InterfaceName=[InterfaceName])

IPSec tunnel negotiation fails.

Attribute

Alarm ID Alarm Severity Alarm Type

1.3.6.1.4.1.2011.6.122.26.6.14

Warning

Communications alarm

Parameters

Name Meaning
OID

Indicates the MIB object ID of the alarm.

Ifindex

Indicates the index of the interface on the IPSec tunnel.

SeqNum

Indicates the sequence number of the IPSec policy.

Reason

Indicates the reason of IPSec tunnel negotiation failure.

ReasonCode

Indicates the reason code of IPSec tunnel negotiation failure.

  • 1: ike proposal mismatch
  • 2: ipsec proposal or pfs mismatch
  • 3: authentication failed
  • 4: acl configuration mismatch
  • 5: can not find ike-peer by ip
  • 6: version mismatch
  • 7: encapsulation mode mismatch
  • 8: total number limit
  • 9: total IPSec route number limit
  • 11: ipsec tunnel number reaches limitation
PeerAddress Indicates the remote IP address.
PeerPort Indicates the remote UDP port number.

vsys-name

Indicates the name of the virtual system to which the IPSec policy belongs.

NOTE:

The device does not support this parameter.

InterfaceName Indicates the interface name.

Impact on the System

Creating an IPSec tunnel will fail.

Possible Causes

The possible causes are as follows:

  • ike proposal mismatch: IKE proposals at both ends of the IPSec tunnel do not match.
  • ipsec proposal or pfs mismatch: IPSec proposals or PFS configurations at both ends of the IPSec tunnel do not match.
  • authentication failed: Identity authentication fails.
  • acl configuration mismatch: ACL configurations at both ends of the IPSec tunnel do not match.
  • can not find ike-peer by ip: No matching IKE peer can be found.
  • version mismatch: IKE versions at both ends of the IPSec tunnel do not match.
  • encapsulation mode mismatch: IPSec encapsulation modes at both ends of the IPSec tunnel do not match.
  • total number limit: The number of IPSec tunnels has reached the upper limit.
  • total IPSec route number limit: The number of IPSec routes has reached the upper limit.
  • ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit.

Procedure

  • Perform the following checks based on the possible causes:

    • ike proposal mismatch: Run the display ike proposal command and check whether IKE proposal configurations at both ends of the IPSec tunnel are consistent.
    • ipsec proposal or pfs mismatch: Run the display ipsec proposal command and check whether IPSec proposal configurations at both ends of the IPSec tunnel are consistent.
    • authentication failed: Check whether the certificate or shared key configurations at both ends of the IPSec tunnel are consistent.
    • acl configuration mismatch: Check whether the ACL configurations are correct.
    • can not find ike-peer by ip: Run the display ike peer command and check whether the peer IP address is correctly configured.
    • version mismatch: Check whether the same IKE version is used at both ends of the IPSec tunnel.
    • encapsulation mode mismatch: Check whether the same encapsulation mode is used at both ends of the IPSec tunnel.
    • total number limit: Apply for a license that allows more tunnels as required.
    • total IPSec route number limit: Reduce the number of IPSec tunnels as required.
    • ipsec tunnel number reaches limitation: Delete unnecessary IPSec tunnels or expand the device capacity.

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000174085

Views: 118830

Downloads: 19

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next