No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Alarm Handling

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

This document provides the trap description, attributes, parameters, impact on the system, possible causes, procedures, and references. This document provides a complete set of traps, through which intended readers are kept of the running status of the device so as to locate faults.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSEC_1.3.6.1.4.1.2011.6.122.26.6.2 hwIPSecTunnelStop

IPSEC_1.3.6.1.4.1.2011.6.122.26.6.2 hwIPSecTunnelStop

Description

IPSEC/4/IPSECTUNNELSTOP: OID [oid] The IPSec tunnel is deleted. (Ifindex=[Ifindex], SeqNum=[SeqNum],TunnelIndex=[TunnelIndex], RuleNum=[RuleNum], DstIP=[DstIP], InsideIP=[InsideIP], RemotePort=[RemotePort], CpuID=[CpuID], SrcIP=[SrcIP], FlowInfo=[FlowInfo], OfflineReason=[offlinereason], VsysName=[vsys-name], InterfaceName=[InterfaceName], SlotID=[SlotID])

An IPSec tunnel is deleted.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.6.122.26.6.2 Warning Communications alarm

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
Ifindex Indicates the interface index.
SeqNum Indicates the policy number.
TunnelIndex Indicates the tunnel index.
RuleNum Indicates the rule number.
DstIP Indicates the IP address of the peer end of the IPSec tunnel.
InsideIP Indicates the intranet IP address of the peer end of the tunnel.
RemotePort Indicates the port number of the peer end of the IPSec tunnel.
CpuID Indicates the CPU number.
SrcIP Indicates the IP address of the local end of the IPSec tunnel.
FlowInfo Indicates the data flow information of the IPSec tunnel, including the source address, destination address, ACL port number, ACL protocol number, and DSCP.
offlinereason Indicates the reason why the IPSec tunnel was deleted.

vsys-name

Indicates the name of the virtual system to which the IPSec policy belongs.

NOTE:

The device does not support this parameter.

InterfaceName Indicates the interface name.
SlotID

Indicates the Slot number.

NOTE:

The device does not support this parameter.

Impact on the System

An IPSec tunnel has been deleted.

Possible Causes

An IPSec tunnel has been deleted due to the following causes:

  • dpd timeout: Dead peer detection (DPD) times out.
  • peer request: The remote end has sent a message, asking the local end to tear down the tunnel.
  • config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted.
  • phase1 hard expiry: Hard lifetime expires in phase 1 (no new SA negotiation success message is received).
  • phase2 hard expiry: Hard lifetime expires in phase 2.
  • heartbeat timeout: heartbeat detection times out.
  • modecfg address soft expiry: The IP address lease applied by the remote end from the server expires.
  • re-auth timeout: An SA is deleted due to reauthentication timeout.
  • aaa cut user: The AAA module disconnects users.
  • peer address switch: An SA is deleted due to change of the peer address.
  • hard expiry triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number.
  • kick old sa with same flow: The old SA is deleted for the same incoming flow.
  • spi conflict: An SPI conflict occurs.
  • phase1 sa replace: The new IKE SA replaces the old IKE SA.
  • phase2 sa replace: The new IPSec SA replaces the old IPsec SA.
  • nhrp notify: NHRP notifies the device that the SA needs to be deleted.
  • disconnect track nqa/bfd/vrrp: The IPSec tunnel is torn down based on the NQA test instance, NQA group, VRRP, BFD session, or BFD group status.
  • receive invalid spi notify: The device receives an invalid SPI notification.
  • dns resolution status change: DNS resolution status changes.
  • ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
  • exchange timeout: Packet interaction timeout.

Procedure

  • Cause: dpd timeout

    Perform the ping operation to check link reachability. If the link is unreachable, check the link and network configuration.

  • Cause: heartbeat timeout

    1. Perform the ping operation to check link reachability. If the link is unreachable, check the link configuration.

    2. Check the heartbeat configuration on the two ends. If the configuration is incorrect, correct it.

  • Cause: config modify or manual offline

    1. Check whether the tunnel is deleted manually or whether the SA is reset. If so, no operation is required.
    2. Check whether the IPSec configuration modified on the local end is correct. If not, correct the IPSec configuration.
    3. Check whether manually deleted IPSec policies are redundant. If they are not redundant, reapply IPSec policies to the interface.

  • Cause: phase1 hard expiry

    Check whether the IKE SA lifetime is proper. If not, modify the IKE SA lifetime.

  • Cause: phase2 hard expiry

    Check whether the IPSec SA lifetime is proper. If not, modify the IPSec SA lifetime.

  • Cause: peer address switch

    Check whether the faulty link needs to be repaired. If so, check the link and network configuration.

  • Cause: hard expiry triggered by port mismatch

    Check whether the two ends use the same NAT port number. If not, modify the NAT port numbers to be the same.

  • Cause: peer request

    Check log information of the remote device and determine the causes for the IPSec tunnel fault accordingly.

  • Cause: receive invalid spi notify

    If this fault occurs frequently, check whether the remote device status or configurations are abnormal.

  • Cause: dns resolution status change

    1. Ensure that the link between the device and DNS server is normal.
    2. Ensure that the DNS server is working properly.
    3. Ensure that the domain name configured using the remote-address host-name command is correct.

  • Cause: ikev1 phase1-phase2 sa dependent offline

    This symptom is normal and no operation is required if the devices at two ends can renegotiate the IKE SA and IPSec SA. Otherwise, you are advised to run the undo ikev1 phase1-phase2 sa dependent command on the local device to cancel dependency between IPSec SA and IKE SA during IKEv1 negotiation.

  • Cause: exchange timeout

    Ensure that the link is normal and the IPSec configuration is correct.

  • Cause: kick old sa with same flow

    Run the ipsec remote traffic-identical accept command to allow branch or other users to quickly access the headquarters network.

  • Cause: aaa cut user, disconnect track nqa/bfd/vrrp, re-auth timeout, phase1 sa replace, phase2 sa replace, spi conflict, nhrp notify

    This symptom is normal and no operation is required.

Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100041475

Views: 70327

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next