No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Alarm Handling

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the trap description, attributes, parameters, impact on the system, possible causes, procedures, and references. This document provides a complete set of traps, through which intended readers are kept of the running status of the device so as to locate faults.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSEC_1.3.6.1.4.1.2011.6.122.26.6.14 hwIPSecNegoFail

IPSEC_1.3.6.1.4.1.2011.6.122.26.6.14 hwIPSecNegoFail

Description

IPSEC/4/IPSECNEGOFAIL: OID [OID] IPSec tunnel negotiation fails. (Ifindex=[Ifindex], SeqNum=[SeqNum], Reason=[Reason], ReasonCode=[ReasonCode], PeerAddress=[PeerAddress], PeerPort=[PeerPort], VsysName=[vsys-name], InterfaceName=[InterfaceName])

IPSec tunnel negotiation fails.

Attribute

Alarm ID Alarm Severity Alarm Type

1.3.6.1.4.1.2011.6.122.26.6.14

Warning

Communications alarm

Parameters

Name Meaning
OID

Indicates the MIB object ID of the alarm.

Ifindex

Indicates the index of the interface on the IPSec tunnel.

SeqNum

Indicates the sequence number of the IPSec policy.

Reason

Indicates the reason of IPSec tunnel negotiation failure.

ReasonCode

Indicates the reason code of IPSec tunnel negotiation failure.

  • 1: ike proposal mismatch
  • 2: ipsec proposal or pfs mismatch
  • 3: authentication failed
  • 4: acl or peer mismatch
  • 5: can not find ike-peer by ip
  • 6: version mismatch
  • 7: encapsulation mode mismatch
  • 8: total number limit
  • 9: total IPSec route number limit
  • 11: ipsec tunnel number reaches limitation
  • 12: flow confict
  • 13: malformed payload
  • 15: proposal mismatch or use sm in ikev2
  • 16: ikev2 not support sm in ipsec proposal ikev2
  • 17: netmask mismatch
PeerAddress Indicates the remote IP address.
PeerPort Indicates the remote UDP port number.

vsys-name

Indicates the name of the virtual system to which the IPSec policy belongs.

NOTE:

The device does not support this parameter.

InterfaceName Indicates the interface name.

Impact on the System

Creating an IPSec tunnel will fail.

Possible Causes

The possible causes are as follows:

  • ike proposal mismatch: IKE proposals at both ends of the IPSec tunnel do not match.
  • ipsec proposal or pfs mismatch: IPSec proposals or PFS configurations at both ends of the IPSec tunnel do not match.
  • authentication failed: Identity authentication fails.
  • acl or peer mismatch: ACL configurations or remote-address at both ends of the IPSec tunnel do not match.
  • can not find ike-peer by ip: No matching IKE peer can be found.
  • version mismatch: IKE versions at both ends of the IPSec tunnel do not match.
  • encapsulation mode mismatch: IPSec encapsulation modes at both ends of the IPSec tunnel do not match.
  • total number limit: The number of IPSec tunnels has reached the upper limit.
  • total IPSec route number limit: The number of IPSec routes has reached the upper limit.
  • ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit.
  • flow confict: A data flow conflict occurs.
  • : Malformed payload
  • proposal mismatch or use sm in ikev2: IPSec proposals at both ends of the IPSec tunnel do not match or IKEv2 uses the SM algorithm.
  • ikev2 not support sm in ipsec proposal ikev2: IKEv2 does not support the SM algorithm used in the IPSec proposal.
  • netmask mismatch: The mask does not match the configured mask after the IPSec mask filtering function is enabled.

Procedure

  • Perform the following checks based on the possible causes:

    • ike proposal mismatch: Run the display ike proposal command and check whether IKE proposal configurations at both ends of the IPSec tunnel are consistent.
    • ipsec proposal or pfs mismatch: Run the display ipsec proposal command and check whether IPSec proposal configurations at both ends of the IPSec tunnel are consistent.
    • authentication failed: Check whether the certificate or shared key configurations at both ends of the IPSec tunnel are consistent.
    • acl or peer mismatch: Check whether the ACLor remote address configurations are correct.
    • can not find ike-peer by ip: Run the display ike peer command and check whether the peer IP address is correctly configured.
    • version mismatch: Check whether the same IKE version is used at both ends of the IPSec tunnel.
    • encapsulation mode mismatch: Check whether the same encapsulation mode is used at both ends of the IPSec tunnel.
    • total number limit: Apply for a license that allows more tunnels as required.
    • total IPSec route number limit: Reduce the number of IPSec tunnels as required.
    • ipsec tunnel number reaches limitation: Delete unnecessary IPSec tunnels or expand the device capacity.
    • flow confict: Ensure that ACL rules at both ends of the IPSec tunnel are configured correctly.
    • malformed payload: Ensure that pre-shared keys at both ends of the IPSec tunnel are configured correctly.
    • proposal mismatch or use sm in ikev2: Run the display ipsec proposal command to check whether IPSec proposals at both ends of the IPSec tunnel are consistent and ensure that they are consistent.
    • ikev2 not support sm in ipsec proposal ikev2: Change the algorithm used in the IPSec proposal.
    • netmask mismatch: Change the IPSec-protected data flow range of the branch or headquarters to ensure that the data flow ranges negotiated by the branch and headquarters do not overlap.

Translation
Download
Updated: 2019-05-07

Document ID: EDOC1100034065

Views: 132458

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next