2.26. IPSEC

Home Prev	cOS Stream 4.00.03 Log Reference Guide	Next

2.26.1. [ID: 1683] Failed to add dynamic route

Log Categories: IPSEC
Log Message: Failed to add dynamic route.
Default Log Severity: Error
Parameters: table, network, iface
Explanation: The system failed to add a dynamic route associated with an IPsec tunnel. This route will remain active inside the routing table, where it will interfere with matching traffic.
Gateway Action: None
Action Description: None
Proposed Action: Disconnect and reconnect the IPsec tunnel.

2.26.2. [ID: 278] Anti-replay check failed

Log Categories: IPSEC
Log Message: Anti-replay check failed.
Default Log Severity: Notice
Parameters: seqno, windowbase, windowsize, matchkey
Explanation: A packet with the same sequence number of the received packet has already been received, or the sequence number is too small to fall within the sliding window. It may be the result of a lagging packet or the packet may have been replayed by a third party.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.3. [ID: 606] Bad ciphertext length

Log Categories: IPSEC
Log Message: Bad ciphertext length.
Default Log Severity: Notice
Parameters: seqno, iplen, paylen, datalen, blklen, matchkey
Explanation: The received packet could not be decrypted because the length of the encrypted data was not a multiple of the cipher block length.
Gateway Action: Drop
Action Description: None
Proposed Action: If manual keying is used, check that both endpoints are configured with the same encryption algorithm and key.

2.26.4. [ID: 254] Bad IP version

Log Categories: IPSEC
Log Message: Bad IP version.
Default Log Severity: Notice
Parameters: seqno, ipver, matchkey
Explanation: The packet has a disallowed IP version.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.5. [ID: 464] Bad next header

Log Categories: IPSEC
Log Message: Bad next header.
Default Log Severity: Notice
Parameters: seqno, nexthdr, matchkey
Explanation: The packet did not contain the expected next layer protocol. This typically means that the packet was decrypted incorrectly.
Gateway Action: Drop
Action Description: None
Proposed Action: If manual keying is used, check that both endpoints are configured with the same encryption algorithm and key.

2.26.6. [ID: 604] Bad padding

Log Categories: IPSEC
Log Message: Bad padding.
Default Log Severity: Notice
Parameters: seqno, datalen, padlen, matchkey
Explanation: The received packet contained ill formatted padding. This typically means that the packet was decrypted incorrectly, but it could also mean that the two endpoints use different padding types.
Gateway Action: Drop
Action Description: None
Proposed Action: If manual keying is used, check that both endpoints are configured with the same encryption algorithm and key. Also, verify that the same padding type is used.

2.26.7. [ID: 282] Decryption failed

Log Categories: IPSEC
Log Message: Decryption failed.
Default Log Severity: Notice
Parameters: seqno, datalen, matchkey
Explanation: The received packet could not be decrypted, for example due to hardware congestion.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.8. [ID: 768] ECN codepoint mismatch

Log Categories: IPSEC
Log Message: ECN codepoint mismatch.
Default Log Severity: Warning
Parameters: seqno, outer, inner, matchkey
Explanation: The ECN codepoint of the inner and outer IP header did not match. The packet was dropped as an indication of congestion.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.9. [ID: 766] ECN codepoint mismatch

Log Categories: IPSEC
Log Message: ECN codepoint mismatch.
Default Log Severity: Notice
Parameters: seqno, outer, inner, new, matchkey
Explanation: The ECN codepoint of the inner and outer IP header did not match. The conflict was resolved using new.
Gateway Action: Adjust
Action Description: None
Proposed Action: None

2.26.10. [ID: 572] Encryption failed

Log Categories: IPSEC
Log Message: Encryption failed.
Default Log Severity: Notice
Parameters: seqno, datalen, matchkey
Explanation: The packet could not be encrypted, for example due to hardware congestion.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.11. [ID: 1057] Failed to generate IV

Log Categories: IPSEC
Log Message: Failed to generate IV.
Default Log Severity: Notice
Parameters: seqno, len, matchkey
Explanation: A initialization vector for the packet could not be generated, for example due to hardware congestion.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.12. [ID: 611] Integrity check failed

Log Categories: IPSEC
Log Message: Integrity check failed.
Default Log Severity: Notice
Parameters: seqno, matchkey
Explanation: The integrity check value of the received packet and the computed value did not match. This can be a result of that the integrity key differs from the key at the peer, that the packet changed in transit, or that the packet was sent by a third party.
Gateway Action: Drop
Action Description: None
Proposed Action: If manual keying is used, check that both endpoints are configured with the same integrity algorithm and key.

2.26.13. [ID: 413] Failed to allocate reassembly buffer

Log Categories: IPSEC,FRAG
Log Message: Failed to allocate reassembly buffer.
Default Log Severity: Notice
Parameters: seqno, pktlen, pkt
Explanation: The packet was fragmented and could not be reassembled because there were no free buffers available to hold the reassembled packet.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.14. [ID: 133] Reassembled packet exceeds allowed size

Log Categories: IPSEC,FRAG
Log Message: Reassembled packet exceeds allowed size.
Default Log Severity: Notice
Parameters: seqno, pktlen, pkt
Explanation: The packet was fragmented and could not be reassembled because it exceeded the maximum allowed size. See FragSettings:LocalReass_MaxSize.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.15. [ID: 487] Failed to reassemble packet

Log Categories: IPSEC,FRAG
Log Message: Failed to reassemble packet.
Default Log Severity: Notice
Parameters: seqno, pktlen, pkt
Explanation: The packet was fragmented and could not be reassembled.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.16. [ID: 1682] Failed to remove dynamic route

Log Categories: IPSEC
Log Message: Failed to remove dynamic route.
Default Log Severity: Critical
Parameters: table, network, iface
Explanation: The system failed to remove a dynamic route associated with an IPsec tunnel. This route will remain active inside the routing table, where it will interfere with matching traffic.
Gateway Action: None
Action Description
Proposed Action: While it is possible that the system may recover by itself, proper operation can no longer be guaranteed and a manual reboot is recommended.

2.26.17. [ID: 1696] Failed to remove IPsec policy rules

Log Categories: IPSEC
Log Message: Failed to remove IPsec policy rules.
Default Log Severity: Error
Parameters: localip, remoteip, spi, proto, localts, remotets, iface
Explanation: Failed to remove the IPsec policy rule from the rule database. Packets sent over the IPsec SA may still be allowed.
Gateway Action: None
Action Description: None
Proposed Action: A reboot of the system is recommended. Contact technical support if the problem persist.

2.26.18. [ID: 579] Failed to resize buffer

Log Categories: IPSEC
Log Message: Failed to resize buffer.
Default Log Severity: Debug
Parameters: seqno, pktlen, len, matchkey
Explanation: A packet buffer could not be resized to hold additional data.
Gateway Action: Drop
Action Description: None
Proposed Action: If this happens frequently, consider lowering the MTU of the IPsec tunnel.

2.26.19. [ID: 264] Packet too small

Log Categories: IPSEC
Log Message: Packet too small.
Default Log Severity: Notice
Parameters: seqno, iplen, paylen, matchkey
Explanation: The received packet was too small to contain a valid ESP, AH, or IPComp packet.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.20. [ID: 135] Payload too small

Log Categories: IPSEC
Log Message: Payload too small.
Default Log Severity: Notice
Parameters: seqno, nexthdr, matchkey
Explanation: The received packet was too small to contain the specified next layer protocol.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.26.21. [ID: 632] Low memory initializing SAD

Log Categories: IPSEC
Log Message: Low memory initializing SAD.
Default Log Severity: Warning
Parameters: size, new
Explanation: The security association database could not be initialized according to current settings due to low memory. The performance of the system may be degraded.
Gateway Action: Adjust
Action Description: The security association database has been configured for a lower number of entries
Proposed Action: Review system wide settings and try to tweak memory consuming features to use less memory.

2.26.22. [ID: 633] Out of memory initializing SAD

Log Categories: IPSEC
Log Message: Out of memory initializing SAD.
Default Log Severity: Critical
Parameters: size
Explanation: The security association database could not be initialized due to insufficient free memory.
Gateway Action: Abort
Action Description: None
Proposed Action: Review system wide settings and try to tweak memory consuming features to use less memory.

2.26.23. [ID: 339] Sequence number overflow

Log Categories: IPSEC
Log Message: Sequence number overflow.
Default Log Severity: Warning
Parameters: seqno, matchkey
Explanation: Attempted to transmit a packet that would result in sequence number overflow.
Gateway Action: Drop
Action Description: None
Proposed Action: None