Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
KMD System Log Messages
This chapter describes messages with the KMD prefix. They are generated by the key management process (kmd), which provides IP Security (IPSec) authentication services for encryption PICs.
KMD_CFG_IF_ID_POOL_NOT_FOUND
System Log Message
Unable to allocate logical interface for IPSec interface from pool pool-name: pool not found
Description
The key management process (kmd) maintains pools of logical interfaces for assignment to IP Security (IPSec) interfaces. It could not allocate a logical interface, because it could not access the indicated pool.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_CFG_IF_ID_POOL_NO_ENTRY
System Log Message
Unable to return logical interface interface-name.interface-unit to pool pool-name: no entry in pool for interface
Description
The key management process (kmd) maintains pools of logical interfaces for assignment to IP Security (IPSec) interfaces. It could not return the indicated logical interface to the indicated pool, because there was no entry for the interface in the pool.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_CFG_IF_ID_POOL_NO_INTERFACE
System Log Message
Unable to allocate logical interface for IPSec interface from pool pool-name: no interfaces available
Description
The key management process (kmd) maintains pools of logical interfaces for assignment to IP Security (IPSec) interfaces. It could not allocate a logical interface, because none were available in the indicated pool.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_CFG_IF_ID_POOL_RETURN_FAILED
System Log Message
Unable to return logical interface to pool pool-name: pool not found
Description
The key management process (kmd) maintains pools of logical interfaces for assignment to IP Security (IPSec) interfaces. It could not return a logical interface to the indicated pool, because it could not access the pool.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_FAILOVER_MANUAL_TUNNEL
System Log Message
Tunnel tunnel-name did not fail over: it is manual type
Description
An IP Security (IPSec) tunnel normally fails over to its backup when the key management process (kmd) detects a dead peer. Failover was not attempted for the indicated tunnel, which is configured as a manual type and so does not support failover.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_FAILOVER_MAX_ATTEMPTS
System Log Message
Number of failover attempts exceeded limit count for tunnel tunnel-name
Description
An IP Security (IPSec) tunnel fails over to its backup when the key management process (kmd) detects a dead peer. The key management process (kmd) stopped making failover attempts for the indicated tunnel, because the number of attempts exceeded the indicated limit configured for Internet Key Exchange (IKE) Phase 1 negotiations.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
Cause
Failover attempts can fail repeatedly if both the primary and backup peers are unreachable during the failover.
KMD_DPD_FAILOVER_NO_ACTIVE_PEER
System Log Message
Tunnel tunnel-name did not fail over: no active peer configured
Description
An IP Security (IPSec) tunnel normally fails over to its backup when the key management process (kmd) detects a dead peer. Failover was not attempted because the configuration for the indicated tunnel does not include information about an active peer.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_FAILOVER_NO_BACKUP_PEER
System Log Message
Tunnel tunnel-name did not fail over: no backup peer configured
Description
An IP Security (IPSec) tunnel normally fails over to its backup when the key management process (kmd) detects a dead peer. A failover attempt failed when the kmd process found that the configuration for the indicated tunnel does not include information about a backup peer.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_FAILOVER_NO_TUNNEL_CFG
System Log Message
Tunnel did not fail over: tunnel configuration not found
Description
An IP Security (IPSec) tunnel normally fails over to its backup when the key management process (kmd) detects a dead peer. Failover was not attempted because there was no configuration information for the tunnel.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_IKE_SERVER_NOT_FOUND
System Log Message
Unable to send DPD reply to remote peer remote-address:remote-port: no IKE server instance for local peer local-address:local-port
Description
The key management process (kmd) could not retrieve the Internet Key Exchange (IKE) server instance referenced by the indicated local peer (address and port), so it could not reply to the indicated remote peer (address and port) from the local peer.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_INVALID_ADDRESS
System Log Message
Unable to send DPD reply: local peer local-address; remote peer remote-address
Description
One of the indicated peer addresses (local or remote) was invalid, so the key management process (kmd) could not send a dead peer detection (DPD) reply to the remote peer.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_INVALID_SEQUENCE_NUMBER
System Log Message
Unable to send DPD reply: remote peer remote-address:remote-port provided invalid zero sequence number to local peer local-address:local-port
Description
The indicated remote peer (address and port) provided a zero sequence number, which is invalid, to the indicated local peer (address and port). As a result, the key management process (kmd) could not send a dead peer detection (DPD) reply to the remote peer.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_NO_LOCAL_ADDRESS
System Log Message
Unable to send DPD hello message from local peer local-address/local-port: address not found in instance service-set
Description
The indicated service set did not include an entry for the indicated local peer (address and port), so the key management process (kmd) could not send a dead peer detection (DPD) hello message from that peer.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_REMOTE_ADDRESS_CHANGED
System Log Message
Remote peer address for tunnel tunnel-name changed from old-address to new-address
Description
The remote peer address in the configuration for the indicated tunnel changed to a new value as indicated.
Type
Event: This message reports an event, not an error
Severity
notice
Facility
LOG_AUTH
KMD_DPD_REMOTE_PEER_NOT_FOUND
System Log Message
Unable to send DPD reply: DPD entry for remote peer remote-address:remote-port not found in IKE server instance service-set
Description
The Internet Key Exchange (IKE) server instance for the indicated service set did not include an entry for the indicated remote peer (address and port), so the key management process (kmd) could not send a dead peer detection (DPD) reply.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_DPD_UNEXPECTED_IKE_STATUS
System Log Message
DPD reply to remote peer remote-address:remote-port failed with unexpected status status for IKE server instance ike-instance
Description
A dead peer detection (DPD) reply sent to the indicated remote peer (address and port) failed and returned the indicated Internet Key Exchange (IKE) status code for the indicated IKE instance.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_AUTH_ALGORITHM_INVALID
System Log Message
Invalid authentication algorithm auth-algorithm-id negotiated in transform transform-id for use by protocol-name in tunnel tunnel-name
Description
During Internet Key Exchange (IKE) Phase 2 negotiation of the indicated transform, the indicated authentication algorithm was chosen to be used by the indicated protocol (Authentication Header [AH] or Encapsulating Security Payload [ESP]) for the indicated tunnel. The algorithm is not a valid value, so the associated security association (SA) was not established.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_DUPLICATE_LIFE_DURATION
System Log Message
Duplicate SA life duration value given in Quick Mode notification from remote-address:remote-port
Description
The IKE Quick Mode notification message from the indicated remote gateway and remote port contains duplicate value for life duration. Hence Quick Mode notification payload is dropped.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_DYNAMIC_SA_INSTALL_FAILED
System Log Message
Unable to install dynamic SA for tunnel tunnel-name
Description
Installation of a dynamic security association (SA) failed for the indicated tunnel during Internet Key Exchange (IKE) Phase 2.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_ENCRYPTION_INVALID
System Log Message
Invalid encryption algorithm negotiated in transform transform-id for use by ESP in tunnel tunnel-name
Description
During Internet Key Exchange (IKE) Phase 2 negotiation of the indicated transform, an encryption algorithm was chosen to be used by the Encapsulating Security Payload (ESP) protocol for the indicated tunnel. The algorithm is not a valid value, so the associated security association (SA) was not installed to the data path.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_IKE_SERVER_LOOKUP_FAILED
System Log Message
No IKE server to connect Phase-1 to remote-peer
Description
The IKE Phase-1 negotiation with indicated remote gateway address failed because there is no corresponding IKE server running locally.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_IKE_SERVER_NOT_FOUND
System Log Message
Failed to connect to remote-address:remote-port as there is no IKE server context available in instance service-set
Description
There is no local IKE server context in the indicated service set, hence failed to send the SPI delete notification request.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_IKE_SRV_NOT_FOUND_CREATE
System Log Message
Local peer local-address:local-port could not inform remote peer remote-address:remote-port of SA creation failure: IKE server not found
Description
The key management process (kmd) could not connect to the indicated remote peer (address and port), because it could not locate a Internet Key Exchange (IKE) server for the indicated local peer (address and port). As a result, it could not notify the remote peer that a security association (SA) was not created.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_IKE_SRV_NOT_FOUND_DELETE
System Log Message
Unable to notify remote peer remote-address:remote-port that SPI was deleted: no IKE server for service set service-set
Description
The indicated service set did not have a local Internet Key Exchange (IKE) server context for the indicated remote peer (address and port). As a result, notification about deletion of a security parameter index (SPI) was not sent.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_ILLEGAL_REMOTE_GW_ID
System Log Message
Aborting Phase-1 negotiation. Cannot initiate negotiation with invalid Phase-1 remote remote-peer in instance: service-set
Description
The specified remote gateway identity is neither an IPv4 address nor an IPv6 address. Hence Phase-1 negotiation can not be started
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_INCONSISTENT_P2_IDS
System Log Message
Inconsistent phase-2 (IPsec) identities, local : initiator = local-initiator responder = local-responder remote : initiator = remote-initiator responder = remote-responder
Description
Initiator and responder identities at the local end are inconsistent with the remote peer's identities. Quick Mode negotiation is aborted.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_INVALID_LIFE_TYPE
System Log Message
Invalid life type units-type found in the Quick Mode notification from remote-address:remote-port
Description
The IKE Quick Mode notification message from the indicated remote gateway and remote port contains invalid life type. Second and Kilobytes are the only supported life types currently. Hence Quick Mode notification payload is dropped.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_KEY_NOT_SUPPORTED
System Log Message
Key type type not supported
Description
The key management process (kmd) retrieved a key of the indicated type during Internet Key Exchange (IKE) Phase 1. The key type is not one of the supported types, which are public/private and preshared.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_LIFETIME_DUPLICATE
System Log Message
Phase 2 lifetime notification message from remote peer remote-address:remote-port specified duplicate duration
Description
During Internet Key Exchange (IKE) Phase 2 negotiation, the indicated remote peer (address and port) sent a lifetime notification message that specified a duplicate value for the security association (SA) lifetime duration. As a result, the key management process (kmd) discarded the notification message.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_LIFETIME_LENGTH_UNEQUAL
System Log Message
Phase 2 lifetime notification message from remote peer remote-address:remote-port had unequal payload length
Description
During Internet Key Exchange (IKE) Phase 2 negotiation, the indicated remote peer (address and port) sent a lifetime notification message with an unequal payload length. As a result, the key management process (kmd) discarded the notification message.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_LIFETIME_NO_DURATION
System Log Message
Phase 2 lifetime notification message from remote peer remote-address:remote-port did not define duration
Description
During Internet Key Exchange (IKE) Phase 2 negotiation, the indicated remote peer (address and port) sent a lifetime notification message that did not specify a duration for the security association (SA) lifetime. As a result, the key management process (kmd) discarded the notification message.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_LIFETIME_TYPE_UNDEFINED
System Log Message
Phase 2 lifetime notification message from remote peer remote-address:remote-port did not specify life type
Description
During Internet Key Exchange (IKE) Phase 2 negotiation, the indicated remote peer (address and port) sent a lifetime notification message that did not specify a life type, making it impossible to determine the lifetime duration for the corresponding security association (SA). As a result, the key management process (kmd) discarded the notification message.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_LIFETIME_UNITS_INVALID
System Log Message
Phase 2 lifetime notification message from remote peer remote-address:remote-port specified invalid units type units-type
Description
During Internet Key Exchange (IKE) Phase 2 negotiation, the indicated remote peer (address and port) sent a lifetime notification message that specified the indicated type of units for the security association (SA) lifetime. The type is invalid (the acceptable units are seconds and kilobytes). As a result, the key management process (kmd) discarded the notification message.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_NEW_GROUP_UNSUPPORTED
System Log Message
New Group mode not supported
Description
Internet Key Exchange (IKE) New Group mode is not supported, so an attempt to start New Group negotiation failed.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_NO_LIFETIME
System Log Message
Duplicate life time payloads present in the notification from remote-address:remote-port. Dropping the notification.
Description
The IKE Quick Mode notification message from the indicated remote gateway and remote port contains two life type fields and there is no life duration field. Quick Mode notification is being dropped since it has insufficient information about life duration.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_NO_LIFE_TYPE
System Log Message
Quick mode notification from remote-address:remote-port contains lifetime duration without corresponding SA lifetime payload.
Description
The IKE Quick Mode notification message from the indicated remote gateway and remote port does not contain life type, hence existing life duration cannot be interpreted to be of a particular life type. Quick Mode notification payload is dropped.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_NO_PROPOSAL_FOR_PHASE1
System Log Message
Aborting Phase-1negotiation. No proposal found to initiatenegotiation between local:local-peer and remote remote-peer in instance:service-set
Description
It is not possible to start the Phase-1 negotiation to the indicated remote gateway because there is no proposal present.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_NO_SPD_PHASE1_FUNC_PTR
System Log Message
Phase-1 SPD handler is not registered in instance:service-set
Description
Phase-1 negotiation can not be initiated as initialization function failed.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_P1_POLICY_LOOKUP_FAILURE
System Log Message
Policy lookup for Phase-1 [negotiation-role] failed for p1_local=local-peer p1_remote=remote-peer
Description
The IKE Phase-1 negotiation with the indicated remote gateway address failed because there is no IKE policy configured for use against the indicated remote gateway.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_P2_POLICY_LOOKUP_FAILURE
System Log Message
Policy lookup for Phase-2 [negotiation-role] failed for p1_local=local-peer p1_remote=remote-peer p2_local=local-prefix p2_remote=remote-prefix
Description
The IKE Phase-2 negotiation with the indicated remote gateway address failed because the traffic selectors proposed by the remote gateway address do not match any of the policies configured for the indicated local gateway address. The proposed traffic selectors are indicated by the Phase-2 local and remote IP prefixes.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_PHASE1_GROUP_UNREADABLE
System Log Message
Unable to read group attributes from IKE Phase 1 proposal
Description
The key management process (kmd) could not read the information in an Internet Key Exchange (IKE) Phase 1 proposal about the Diffie-Hellman (DH) group to use.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_GROUP_UNSPECIFIED
System Log Message
Used DH group 1 because Phase 1 proposal did not specify group
Description
The key management process (kmd) assigned Diffie-Hellman (DH) group 1 to an Internet Key Exchange (IKE) Phase 1 proposal because no group was specified.
Type
Event: This message reports an event, not an error
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_IKE_SRV_NOT_FOUND
System Log Message
Unable to perform Phase 1 negotiation with remote peer remote-peer: no local IKE server
Description
The key management process (kmd) could not locate an Internet Key Exchange (IKE) server for the local peer. As a result, IKE Phase 1 negotiation failed with the indicated remote peer.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_NO_IDENTITIES
System Log Message
Unable to begin Phase 1 negotiation for local peer service-set and remote peer local-peer in instance remote-peer
Description
Internet Key Exchange (IKE) Phase 1 negotiation did not begin, because either the local peer or remote peer was undefined for the indicated service set.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_NO_SPD_HANDLER
System Log Message
No Phase 1 SPD handler registered for service set service-set
Description
A security policy database (SPD) handler is not registered for the indicated service set. As a result, Internet Key Exchange (IKE) Phase 1 negotiation did not begin.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_POLICY_LOOKUP_FAIL
System Log Message
Unable to retrieve Phase 1 policy from negotiation-role (local peer local-peer, remote peer remote-peer)
Description
The key management process (kmd) could not retrieve a policy from the indicated participant to use during Internet Key Exchange (IKE) Phase 1 negotiation between the indicated local and remote peers.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_POLICY_NOT_FOUND
System Log Message
Unable to find policy for Phase 1 negotiation between local peer local-peer and remote peer remote-peer in service set service-set
Description
The key management process (kmd) could not retrieve a policy for Internet Key Exchange (IKE) Phase 1 negotiation between the indicated local and remote peers in the indicated service set. As a result, Phase 1 did not begin.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_POLICY_SEARCH_FAIL
System Log Message
No ike-policy found for ike-access-profile: access-profile, instance:service-set
Description
The key management process (kmd) could not retrieve the Phase 1 policy referenced by the indicated Internet Key Exchange (IKE) access profile for the indicated dynamic-endpoint service set.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_PROTO_INVALID
System Log Message
Phase 1 transform specified invalid protocol received-value instead of SSH_IKE_PROTOCOL_ISAKMP (expected-value)
Description
The indicated protocol in a transform negotiated during Internet Key Exchange (IKE) Phase 1 is not a valid value. The only valid value is the Internet Security Association and Key Management Protocol (ISAKMP). The key management process (kmd) rejected the transform.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_PROTO_NOT_ISAKMP
System Log Message
Protocol in IKE Phase 1 proposal was not ISAKMP as expected
Description
The protocol in an Internet Key Exchange (IKE) Phase 1 proposal was not the expected value, which is the Internet Security Association and Key Management Protocol (ISAKMP).
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_PROTO_TWICE
System Log Message
Phase 1 transform included protocol protocol-id twice
Description
A transform negotiated during Internet Key Exchange (IKE) Phase 1 specified the indicated protocol twice, which is invalid. The key management process (kmd) rejected the transform.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_TXFORM_INCOMPLETE
System Log Message
Phase 1 transform was missing mandatory attributes
Description
A transform negotiated during Internet Key Exchange (IKE) Phase 1 did not include values for all attributes. One or more the following was missing: the authentication algorithm, encryption algorithm, or Diffie-Hellman group. The key management process (kmd) rejected the transform.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE1_TXFORM_INVALID
System Log Message
Phase 1 transform specified invalid transform ID received-value instead of expected-value
Description
The indicated identifier for a transform negotiated during Internet Key Exchange (IKE) Phase 1 is not the indicated expected value. The key management process (kmd) rejected the transform.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE2_IDENTITY_MISMATCH
System Log Message
Phase 2 identities did not match: local initiator local-initiator, responder local-responder; remote initiator remote-initiator, responder remote-responder
Description
The indicated initiator and responder identities defined by the local peer did not match the indicated identities defined by the remote peer. The key management process (kmd) canceled Internet Key Exchange (IKE) Phase 2 negotiation.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE2_NOTIF_UNKNOWN
System Log Message
Unknown Phase 2 notification notification-name (type notification-type, size length bytes) from remote-address:remote-port for protocol protocol-id (SPI(size)=data)
Description
The indicated Internet Key Exchange (IKE) Phase 2 notification message from the indicated remote peer (address and port) is a type that the key management process (kmd) does not support. As a result, the kmd process discarded the message and Phase 2 negotiation failed.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE2_POLICY_LOOKUP_FAIL
System Log Message
Unable to retrieve policy for Phase 2 from negotiation-role (Phase 1 local peer local-peer, remote peer remote-peer; Phase 2 local peer local-prefix, remote peer remote-prefix)
Description
The key management process (kmd) could not retrieve a policy from the indicated participant to use during Internet Key Exchange (IKE) Phase 2 negotiation for the indicated local and remote peers. The traffic selectors proposed by the remote peer (represented by the indicated Phase 2 IP prefixes) do not match any local peer policies.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PHASE2_SELECTOR_UNDEFINED
System Log Message
Unable to start Phase 2: No traffic-selector addresses defined for SA sa-name
Description
The configuration for the indicated security association (SA) did not include the information about local and remote traffic selectors required for Internet Key Exchange (IKE) Phase 2, so that phase did not begin.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PROPOSAL_NO_AUTH
System Log Message
AH proposal did not define authentication algorithm
Description
An Internet Key Exchange (IKE) Phase 2 proposal did not define the authentication algorithm for the Authentication Header (AH) protocol to use. The key management process (kmd) rejected the proposal.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PROPOSAL_NO_ENCRYPTION
System Log Message
ESP proposal did not define encryption algorithm
Description
An Internet Key Exchange (IKE) Phase 2 proposal did not define the encryption algorithm for the Encapsulating Security Payload (ESP) protocol to use. The key management process (kmd) rejected the proposal.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PROPOSAL_NO_KEY_LENGTH
System Log Message
Phase 2 proposal did not specify length for variable key-length cipher cipher
Description
An Internet Key Exchange (IKE) Phase 2 proposal did not define the key length for the indicated variable-length cipher. As a result, the key management process (kmd) rejected the proposal.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PROPOSAL_NULL_ESP
System Log Message
ESP was negotiated with null encryption and authentication
Description
Encapsulating Security Payload (ESP) was negotiated as the protocol During Internet Key Exchange (IKE) Phase 2, but no values were negotiated for the authentication and encryption algorithms. As a result, the key management process (kmd) rejected the transform.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PROPOSAL_PROTOCOL_INVALID
System Log Message
Protocol protocol-id in Phase 2 proposal was invalid (was not AH or ESP)
Description
An Internet Key Exchange (IKE) Phase 2 proposal specified the indicated protocol, which is invalid. The acceptable protocols as Authentication Header (AH) and Encapsulating Security Payload (ESP). The key management process (kmd) rejected the proposal.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PROTO_INVALID
System Log Message
Invalid protocol protocol-id was negotiated for SA sa-name
Description
During Internet Key Exchange (IKE) Phase 2, the indicated protocol was chosen for the indicated security association (SA). It is not a valid value, so the SA was not established.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PROTO_IPCOMP_UNSUPPORTED
System Log Message
Unsupported IPComp protocol was negotiated for SA sa-name
Description
During Internet Key Exchange (IKE) Phase 2, the IP Payload Compression Protocol (IPComp) was chosen for the indicated security association (SA). IPComp is not supported, so the SA was not established.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PROTO_ISAKMP_RESV_UNSUPP
System Log Message
Unsupported protocol ISAKMP or RESERVED was negotiated for SA sa-name
Description
During Internet Key Exchange (IKE) Phase 2, either Internet Security Association and Key Management Protocol (ISAKMP) or the value RESERVED was chosen as the protocol for the indicated security association (SA). They are not supported values, so the SA was not established.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_PROTO_NOT_NEGOTIATED
System Log Message
No protocol negotiated for SA sa-name
Description
While verifying the results of Internet Key Exchange (IKE) Phase 2, the key management process (kmd) determined that no protocol was negotiated for the indicated security association (SA). The SA was not established.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_REMOTE_PEER_INVALID
System Log Message
Phase 1 negotiation failed: remote address remote-peer in instance service-set is invalid
Description
Internet Key Exchange (IKE) Phase 1 negotiation failed because the indicated remote peer address in the indicated service set is not a valid IP version 4 (IPv4) or IP version 6 (IPv6) address.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_SA_CFG_NOT_FOUND
System Log Message
Unable to install negotiated Phase 2 values: SA sa-name configuration not found
Description
The key management process (kmd) could not retrieve configuration information for the indicated security association (SA), and so could not record the values that were negotiated for the SA during Internet Key Exchange (IKE) Phase 2. The SA was not established.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_SA_DELETE_REJECT
System Log Message
Rejected SA deletion request for service set service-set: SPI size (size) is not 4 (local peer local-address:local-port, remote peer remote-address:remote-port)
Description
The key management process (kmd) discarded a message that requested deletion of a security association (SA) between the indicated local peer (address and port) and remote peer (address and port), because the indicated size of the associated Security Parameter Index (SPI) was not as expected. As a result, the SA was not deleted.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_SA_INDEX_GEN_FAILED
System Log Message
Unable to generate pair index for SA sa-name in service set service-set
Description
The key management process (kmd) could not generate a pair index for the indicated security association (SA) in the indicated service set. The kmd process canceled Internet Key Exchange (IKE) Phase 2 negotiation.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_SA_PEER_ABSENT
System Log Message
No active peer found in tunnel configuration block sa-name
Description
Failed to find active peer information in the tunnel configuration block. Hence unable to send SA delete notifications to the peer.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_SA_PEER_NOT_FOUND
System Log Message
Unable to find active peer for SA sa-name
Description
The key management process (kmd) could not retrieve information about an active peer from the configuration for the indicated security association (SA). As a result, it could not notify peers that an SA was deleted.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_SPI_DELETE_REJECT
System Log Message
IKE Phase-2 delete:In instance service-set rejecting request to delete SPI size sizeu != 4 Local gateway local-address:local-port, Remote gateway remote-address:remote-port
Description
The SPI size in the delete notification is invalid. Hence delete request is rejected. Quick Mode notification payload is dropped.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_UNEQUAL_PAYLOAD_LENGTH
System Log Message
Inconsistent payload lengths in Quick Mode responder life time notification from remote-address:remote-port
Description
IKE Quick Mode notification is dropped because of unequal payload length received in the message.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_UNINITIALISE_ERROR
System Log Message
Invalid policy managerhandle to uninitialize service-set
Description
Failed to uninitialize the Policy manager object while deleting the indicated service set.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_UNINITIALIZE_FAILED
System Log Message
Unable to uninitialize service set service-set: invalid policy manager handle
Description
The key management process could not delete the indicated service set, because lack of a valid handle prevented the kmd process from uninitializing the policy manager object for the service set.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_PM_UNKNOWN_P1_IDENTITIES
System Log Message
Failed to initiate the Phase-1 negotiation for local:local-peer and remote:remote-peer in instance:service-set
Description
Phase-1 negotiation can not be started because either the local gateway identity or the remote gateway identity is unknown.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_UNKNOWN_PHASE2_ENTITIES
System Log Message
No Phase-2 entities present in tunnel configuration block sa-name
Description
Unable to initiate Phase-2 negotiation because of unknown local and remote traffic selectors in the indicated security association configuration block. For Adaptive Service PIC, the security association configuratin block refers to the tunnel configured under a service set with a given rule name and term name.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_UNKNOWN_QM_NOTIFICATION
System Log Message
Unknown Quick mode notification notification-name (notification-type) (size lengthubytes) from remote-address:remote-port for protocol=protocol-idd spi(sizeu)=data
Description
The notification message sent by the indicated remote gateway and remote port is not recognized. Hence Quick Mode notification payload is dropped.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_UNSUPPORTED_KEY
System Log Message
Key type = type, not supported
Description
The specified key type is unsupported. Public/Private and Pre-shared key are are the only types supported presently.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_PM_UNSUPPORTED_MODE
System Log Message
New group mode not supported currently
Description
The IKE New Group mode negotiations failed, because this is not a supported feature currently.
Type
Error: An error occurred
Severity
error
Facility
LOG_SYSLOG
KMD_SNMP_EXTRA_RESPONSE
System Log Message
PIC pic-slot sent additional response after reply to SNMP query: error-message
Description
The indicated PIC sent an additional unexpected message after it responded to a request from the key management process (kmd) for Simple Network Management Protocol (SNMP) statistics about IP Security (IPSec) security associations (SAs). As a result, the kmd process discarded the initial response.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_SNMP_FATAL_ERROR
System Log Message
Fatal SNMP error occurred: error-message
Description
The key management process (kmd) could not retrieve Simple Network Management Protocol (SNMP) statistics about IP Security (IPSec) security associations (SAs), because the indicated fatal SNMP error occurred.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_SNMP_IKE_SERVER_NOT_FOUND
System Log Message
Unable to fulfill SNMP request: could not fetch IKE server context for service set service-set
Description
The key management process (kmd) could not retrieve the Internet Key Exchange (IKE) server context for the indicated service set. As a result, it could not process a request for Simple Network Management Protocol (SNMP) statistics.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_SNMP_MALLOC_FAILED
System Log Message
Unable to allocate memory for reply buffer; SNMP query to PIC pic-slot failed
Description
The key management process (kmd) could not allocate memory for the buffer it uses to store Simple Network Management Protocol (SNMP) statistics about IP Security (IPSec) security associations (SAs). As a result, it could not retrieve statistics from the indicated PIC.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_SNMP_PIC_CONNECTION_FAILED
System Log Message
Unable to connect to PIC pic-slot; SNMP query failed
Description
The key management process (kmd) could not open a connection to the indicated PIC. As a result, it could not retrieve Simple Network Management Protocol (SNMP) statistics about IP Security (IPSec) security associations (SAs).
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_SNMP_PIC_NO_RESPONSE
System Log Message
PIC pic-slot did not respond to SNMP query: error-message
Description
The indicated PIC did not respond to a request from the key management process (kmd) for Simple Network Management Protocol (SNMP) statistics about IP Security (IPSec) security associations (SAs).
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_SNMP_PIC_SLOT_NOT_FOUND
System Log Message
Unable to retrieve slot information for PIC pic-slot; SNMP query failed
Description
The key management process (kmd) could not retrieve information about the slot housing the indicated PIC. As a result, it could not retrieve Simple Network Management Protocol (SNMP) statistics about IP Security (IPSec) security associations (SAs) from the PIC.
Type
Error: An error occurred
Severity
error
Facility
LOG_AUTH
KMD_VPN_DFBIT_STATUS_MSG
System Log Message
The DF-BIT for VPN vpn-name has been set to argument.
Description
VPN DF bit status has been set.
Type
Event: This message reports an event, not an error
Severity
info
Facility
LOG_DAEMON
KMD_VPN_DOWN_ALARM_USER
System Log Message
VPN vpn-name from remote-address is down.
Description
Notifiication to user that VPN monitor detects IPSec SA is down.
Type
Event: This message reports an event, not an error
Severity
info
Facility
LOG_DAEMON
KMD_VPN_UP_ALARM_USER
System Log Message
VPN vpn-name from remote-address is up.
Description
Notifiication to user that VPN monitor detects IPSec SA is up.
Type
Event: This message reports an event, not an error
Severity
info
Facility
LOG_DAEMON
