This chapter describes IP Security Protocol (IPsec) messages. For information on message content and how to use the message, refer to the Introduction.
| IPSP.001 |
Level: U-INFO
Short Syntax: IPSP.001 IPsec init
Long Syntax: IPSP.001 IPsec initialization
Description: This message is printed when IPsec is going through initialization.
| IPSP.002 |
Level: UI-ERROR
Short Syntax: IPSP.002 IPsec unable to get mem
Long Syntax: IPSP.002 IPsec unable to get memory
Description: IPsec was unable to allocate the necessary memory. IPsec is unable to run because of this.
Cause: There is a shortage in heap memory, possibly because too many memory intensive forwarders/protocols are running.
Action: Disable unnecesary forwarders/protocols or get more memory.
| IPSP.003 |
Level: U-INFO
Short Syntax: IPSP.003 q ovrf source_ip_address -> destination_ip_address nt network ID
Long Syntax: IPSP.003 Queue overflow on packet from source_ip_address for destination_ip_address from net network ID
Description: This message is generated when the IP forwarder must discard a packet that was to be secured because of an IPsec input queue overflow.
Cause: IPsec input queue overflows happen when a packet is received from an interface that is short on buffers. Length of the IPsec queue is greater than the fair share. This may be caused by either a burst or steady state of traffic arriving faster than the IP forwarder can encaped(Secured) it.
Action: Reduce traffic bursts. Upgrade to a faster router.
| IPSP.004 |
Level: P-TRACE
Short Syntax: IPSP.004 rcv pkt for encap source_ip_address -> destination_ip_address wth tid tunnel_id
Long Syntax: IPSP.004 Accepting packet for encapsulation from source_ip_address to destination_ip_address with tunnel_id tunnel_id
Description: This message is generated for each IP packet which is passing through the IPsec encapsulation module.
| IPSP.005 |
Level: P-TRACE
Short Syntax: IPSP.005 rcv pkt for decap source_ip_address -> destination_ip_address
Long Syntax: IPSP.005 Accepting packet for decapsulation from source_ip_address to destination_ip_address
Description: This message is generated for each IP packet which is passing through the IPsec decapsulation module.
| IPSP.006 |
Level: U-INFO
Short Syntax: IPSP.006 dsc IPsec pkt source_ip_address -> destination_ip_address nt Network ID no IPsec
Long Syntax: IPSP.006 Discarded IPsec packet from source_ip_address for destination_ip_address net Network ID, IPsec not enabled.
Description: This message is generated when an IP packet containing an IPsec protocol header is received and IPsec is not enabled. The packet is dropped since there are no active IPsec tunnels available to decapsulate the contents of the IPsec packet.
Cause: Received an IPsec protocol packet, but IPsec is not enabled.
| IPSP.007 |
Level: UI-ERROR
Short Syntax: IPSP.007 IPsec function_name: tunl tunnel_id not active
Long Syntax: IPSP.007 IPsec function_name: tunnel tunnel_id is not active.
Description: An IP packet could not be secured because the designated tunnel is not active. The packet has been dropped.
| IPSP.008 |
Level: UE-ERROR
Short Syntax: IPSP.008 addr msmtch IP src pkt_src_addr tunl src tunl_src_addr IP dst pkt_dst_addr tunl dst tunl_dst_addr tunl tunnel_id
Long Syntax: IPSP.008 address mismatch for transport mode tunnel - IP packet source address pkt_src_addr, tunnel source address tunl_src_addr, IP packet destination address pkt_dst_addr, tunnel destination address tunl_dst_addr, tunnel tunnel_id
Description: In transport mode, there is a mismatch in the IP packet addresses and the secure tunnel IP addresses.
| IPSP.009 |
Level: CI-ERROR
Short Syntax: IPSP.009 error_message tunnl tunnel_id
Long Syntax: IPSP.009 Error: error_message tunnel tunnel_id
Description: There is an error as indicated by the error message.
| IPSP.010 |
Level: UE-ERROR
Short Syntax: IPSP.010 pkt too short: pkt len length hdr len header_len
Long Syntax: IPSP.010 Packet too short: packet len length header len header_len
Description: An IPsec packet was received with a payload that was less than 8 bytes long.
| IPSP.011 |
Level: P-TRACE
Short Syntax: IPSP.011 esp encap in mode mode alg algorithm tunl tunnel_id
Long Syntax: IPSP.011 esp encapsulation in mode mode algorithm algorithm tunnel tunnel_id
Description: An IP packet is being encapsulated using the IPsec Encapsulating Security Payload (ESP).
| IPSP.012 |
Level: P-TRACE
Short Syntax: IPSP.012 esp encap with pad len pad_length spi SPI iv IV_1 IV_2 tunl tunnel_id
Long Syntax: IPSP.012 esp encapsulation with pad length pad_length security parameter index SPI initialization vector IV_1 IV_2 tunnel tunnel_id
Description: An IPsec ESP packet has been constructed.
| IPSP.013 |
Level: P-TRACE
Short Syntax: IPSP.013 Module trc_msg
Long Syntax: IPSP.013 Module trc_msg
Description: This message is for internal informational purposes.
| IPSP.014 |
Level: P-TRACE
Short Syntax: IPSP.014 esp decap with alg algorithm tunl tunnel_id
Long Syntax: IPSP.014 esp decapsulation with algorithm algorithm tunnel tunnel_id
Description: An IP packet containing the IPsec Encapsulating Security Payload (ESP) was received.
| IPSP.015 |
Level: UE-ERROR
Short Syntax: IPSP.015 ESP decap: bad payload len payload_length tunl tunnel_id
Long Syntax: IPSP.015 ESP decapsulation: bad payload length payload_length tunnel tunnel_id
Description: An IPsec ESP packet was received that had an invalid payload length (lacked the proper payload padding).
| IPSP.016 |
Level: UE-ERROR
Short Syntax: IPSP.016 ESP decap: bad payload len payload_len - pad len padding_length tunl tunnel_id
Long Syntax: IPSP.016 ESP decapsulation: bad payload length payload_len for padding length padding_length tunnel tunnel_id
Description: The payload length of an IPsec ESP packet is not correct since it is shorter than, or equal to, the padding length.
| IPSP.017 |
Level: P-TRACE
Short Syntax: IPSP.017 ah encap in mode mode alg algorithm tunl tunnel_id
Long Syntax: IPSP.017 ah encapsulation in mode mode algorithm algorithm tunnel tunnel_id
Description: An IP packet is being encapsulated using the IPsec Authentication Header (AH).
| IPSP.018 |
Level: P-TRACE
Short Syntax: IPSP.018 ah decap with alg algorithm tunl tunnel_id
Long Syntax: IPSP.018 ah decapsulation with algorithm algorithm tunnel tunnel_id
Description: An IP packet containing the IPsec Authentication Header (AH) was received.
| IPSP.019 |
Level: UE-ERROR
Short Syntax: IPSP.019 AH decap: bad packet len payload_len tunl tunnel_id
Long Syntax: IPSP.019 AH decapsulation: bad packet length payload_len tunnel tunnel_id
Description: An IPsec AH packet was received that had an invalid payload length.
| IPSP.020 |
Level: UI-ERROR
Short Syntax: IPSP.020 Module Decap: no tunl for src src_addr dst dst_addr spi spi
Long Syntax: IPSP.020 Module Decap: no active tunnel list entry for source address src_addr, destination address dst_addr, and security parameter index spi
Description: There was no active tunnel list entry for the IPsec packet received.
| IPSP.021 |
Level: UI-ERROR
Short Syntax: IPSP.021 Init: init error for tunn ID tunnel_id, errcode= error_code
Long Syntax: IPSP.021 IPsec initialization: initialization error for tunnel ID tunnel_id, error code = error_code.
Description: An IPsec initialization error occurred. Save configuration file, record error code, and contact Customer Service.
| IPSP.022 |
Level: U-INFO
Short Syntax: IPSP.022 tunl list add tunl tunnel_id - reason
Long Syntax: IPSP.022 An active tunnel list entry was added for tunnel ID tunnel_id - reason is reason.
Description: An entry in the active tunnel list was added.
| IPSP.023 |
Level: U-INFO
Short Syntax: IPSP.023 tunl list del tunl tunnel_id - reason
Long Syntax: IPSP.023 An active tunnel list entry was deleted for tunnel ID tunnel_id - reason is reason.
Description: An entry in the active tunnel list was deleted.
| IPSP.024 |
Level: U-INFO
Short Syntax: IPSP.024 IPsec enabled from console
Long Syntax: IPSP.024 The IPsec feature was enabled from the console.
Description: The IPsec feature was enabled from the console by the ENABLE IPSEC command.
| IPSP.025 |
Level: U-INFO
Short Syntax: IPSP.025 IPsec disabled from console - disable_mode mode
Long Syntax: IPSP.025 The IPsec feature was disabled from the console. Disable mode is disable_mode.
Description: The IPsec feature was disabled from the console by the DISABLE IPSEC command.
| IPSP.026 |
Level: UI-ERROR
Short Syntax: IPSP.026 IPsec Encryption Algorithm which_esp is not allowed on this tun id tun_id.
Long Syntax: IPSP.026 IPsec Encryption Algorithm which_esp is not allowed on this tunnel id tun_id.
Description: The configured ESP algorithm is not available on this router library.
| IPSP.027 |
Level: P-TRACE
Short Syntax: IPSP.027 rcv pkt for encap source_ip_address -> destination_ip_address wth tid tunnel_id
Long Syntax: IPSP.027 Accepting packet for encapsulation from source_ip_address to destination_ip_address with tunnel_id tunnel_id
Description: This message is generated for each IPv6 packet which is passing through the IPsec encapsulation module.
| IPSP.028 |
Level: UE-ERROR
Short Syntax: IPSP.028 addr msmtch IP src pkt_src_addr tunl src tunl_src_addr IP dst pkt_dst_addr tunl dst tunl_dst_addr tunl tunnel_id
Long Syntax: IPSP.028 address mismatch for transport mode tunnel - IP packet source address pkt_src_addr, tunnel source address tunl_src_addr, IP packet destination address pkt_dst_addr, tunnel destination address tunl_dst_addr, tunnel tunnel_id
Description: In transport mode, there is a mismatch in the IPv6 packet addresses and the secure tunnel IP addresses.
| IPSP.029 |
Level: UI-ERROR
Short Syntax: IPSP.029 Module Decap: no tunl for src src_addr dst dst_addr spi spi
Long Syntax: IPSP.029 Module Decap: no active tunnel list entry for source address src_addr, destination address dst_addr, and security parameter index spi
Description: There was no active tunnel list entry for the IPsec packet received.
| IPSP.030 |
Level: U-INFO
Short Syntax: IPSP.030 q ovrf source_ip_address -> destination_ip_address nt network ID
Long Syntax: IPSP.030 Queue overflow on packet from source_ip_address for destination_ip_address from net network ID
Description: This message is generated when the IP forwarder must discard a packet that was to be secured because of an IPsec input queue overflow.
Cause: IPsec input queue overflows happen when a packet is received from an interface that is short on buffers. Length of the IPsec queue is greater than the fair share. This may be caused by either a burst or steady state of traffic arriving faster than the IP forwarder can encaped(Secured) it.
Action: Reduce traffic bursts. Upgrade to a faster router.
| IPSP.031 |
Level: U-INFO
Short Syntax: IPSP.031 dsc IPsec pkt source_ip_address -> destination_ip_address nt Network ID no IPsec
Long Syntax: IPSP.031 Discarded IPsec packet from source_ip_address for destination_ip_address net Network ID, IPsec not enabled.
Description: This message is generated when an IPv6 packet containing an IPsec protocol header is received and IPsec is not enabled. The packet is dropped since there are no active IPsec tunnels available to decapsulate the contents of the IPsec packet.
Cause: Received an IPsec protocol packet, but IPsec is not enabled.
| IPSP.032 |
Level: P-TRACE
Short Syntax: IPSP.032 rcv pkt for decap source_ip_address -> destination_ip_address
Long Syntax: IPSP.032 Accepting packet for decapsulation from source_ip_address to destination_ip_address
Description: This message is generated for each IPv6 packet which is passing through the IPsec decapsulation module.
| IPSP.033 |
Level: U-INFO
Short Syntax: IPSP.033 pkt bigger than PMTU source_ip_address -> destination_ip_address, pmtu pmtu, pkt size pktsize
Long Syntax: IPSP.033 Packet bigger than PMTU from source_ip_address to destination_ip_address, pmtu is pmtu, packet size is pktsize
Description: This message is generated for IPv6 packets that are being sent over a secure tunnel mode tunnel that are larger than the Path MTU of that tunnel. An ICMP "packet too big" message will be generated back to the host.
| IPSP.034 |
Level: U-TRACE
Short Syntax: IPSP.034 tunnel tunnel_id aged, pmtu mtu
Long Syntax: IPSP.034 Tunnel tunnel_id aged out of table, path MTU mtu
Description: The path MTU aging timer has expired for the specified tunnel. The path MTU will be reset to the maximum MTU value and path MTU discovery will be started on the next packet to the traverse this tunnel.
| IPSP.035 |
Level: U-TRACE
Short Syntax: IPSP.035 pkt too big for tunnel tunnel_id, pmtu mtu
Long Syntax: IPSP.035 Packet Too Big ICMP message received for tunnel tunnel_id, path MTU is mtu
Description: A packet too big message has been received for a packet originated by this router on the specified tunnel. Path MTU Discovery will start for this tunnel.
| IPSP.036 |
Level: UI-ERROR
Short Syntax: IPSP.036 Path MTU: no tunl for src src_addr dst dst_addr spi spi
Long Syntax: IPSP.036 Path MTU: no active tunnel list entry for source address src_addr, destination address dst_addr, and security parameter index spi
Description: There was no active tunnel list entry for the ICMP Packet Too Big packet received.
| IPSP.037 |
Level: UI-ERROR
Short Syntax: IPSP.037 no mem for pmtu disc for tunnel_id
Long Syntax: IPSP.037 There is no memory available to perform Path MTU Discovery for tunnel_id
Description: There is not enough memory in the router to allocate the control blocks necessary for Path MTU Discovery for packets on the specified tunnel.
| IPSP.038 |
Level: UI-ERROR
Short Syntax: IPSP.038 Path MTU: no tunl for src src_addr dst dst_addr spi spi
Long Syntax: IPSP.038 Path MTU: no active tunnel list entry for source address src_addr, destination address dst_addr, and security parameter index spi
Description: There was no active tunnel list entry for the ICMP Packet Too Big packet received.
| IPSP.039 |
Level: U-INFO
Short Syntax: IPSP.039 pkt bigger than PMTU source_ip_address -> destination_ip_address, pmtu pmtu, pkt size pktsize
Long Syntax: IPSP.039 Packet bigger than PMTU from source_ip_address to destination_ip_address, pmtu is pmtu, packet size is pktsize
Description: This message is generated for IPv4 packets that are being sent over a secure tunnel mode tunnel that are larger than the Path MTU of that tunnel and the DF bit is set in the outer header. An ICMP "packet too big" message will be generated back to the host.
| IPSP.040 |
Level: U-INFO
Short Syntax: IPSP.040 df bit not copied/set, sec pkt bigger than minimum, source_ip_address -> destination_ip_address, tnl tunnel
Long Syntax: IPSP.040 df bit in the outer header cannot be copied/set, the secured packet is greater than the minimum MTU, source_ip_address to destination_ip_address, tunnel tunnel
Description: This message is generated for IPv4 packets that are being sent over a secure tunnel mode tunnel. After the packet is secured, it is larger than the Path MTU of that tunnel. However, the incoming packet was less than or equal to the minimum MTU of 576, so an ICMP error message will not lower the size of the incoming packets. The configuration for this tunnel has the DF bit in the outer header being copied from the inner header or set, but this will not occur, since the packet must be allowed to fragment. The DF bit in the outer header will not be set.
| IPSP.041 |
Level: P-TRACE
Short Syntax: IPSP.041 str_message alg algorithm tunl tunnel_id
Long Syntax: IPSP.041 str_message with algorithm algorithm tunnel tunnel_id
Description: Performing ESP authentication on a packet
| IPSP.042 |
Level: P-TRACE
Short Syntax: IPSP.042 Add P2 tunl tunnel_id by IKE is msg
Long Syntax: IPSP.042 Add phase 2 tunnel tunnel_id by IKE is msg
Description: Result of adding a phase 2 tunnel by ISAKMP
| IPSP.043 |
Level: P-TRACE
Short Syntax: IPSP.043 tunl tunnel_id SA msg thrhld rchd. Strt rfrsh.
Long Syntax: IPSP.043 Tunnel tunnel_id SA msg threshold reached. Start refreshing.
Description: A condition is met, start refreshing the SA.
| IPSP.044 |
Level: CI-ERROR
Short Syntax: IPSP.044 error_message
Long Syntax: IPSP.044 Error: error_message
Description: There is an error as indicated by the error message.
| IPSP.045 |
Level: P-TRACE
Short Syntax: IPSP.045 Rfrshng SA for P2 tunl tunnel_id by IKE is msg
Long Syntax: IPSP.045 Refreshing SA for phase 2 tunnel tunnel_id by IKE is msg
Description: Result of refreshing SA for a phase 2 tunnel by ISAKMP
| IPSP.046 |
Level: P-TRACE
Short Syntax: IPSP.046 msg tunnel_id
Long Syntax: IPSP.046 msg tunnel_id
Description: General tracing message
| IPSP.047 |
Level: CI-ERROR
Short Syntax: IPSP.047 Conformance check failed from from_addr to to_addr tunn tun_id
Long Syntax: IPSP.047 Conformance check failed from from_addr to to_addr tunn tun_id
Description: Conformance check receiving packet failed.