Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1446655.1
Update Date:2012-08-30
Keywords:

Solution Type  Problem Resolution Sure

Solution  1446655.1 :   DSCP : ipsec_check_inbound_policy: Policy Failure for the incoming packet (not secure);  


Related Items
  • Sun SPARC Enterprise M9000-64 Server
  •  
  • Sun SPARC Enterprise M9000-32 Server
  •  
  • Sun SPARC Enterprise M8000 Server
  •  
  • Sun SPARC Enterprise M4000 Server
  •  
  • Sun SPARC Enterprise M5000 Server
  •  
  • Sun SPARC Enterprise M3000 Server
  •  
Related Categories
  • PLA-Support>Sun Systems>SPARC>Enterprise>SN-SPARC: Mx000
  •  
  • .Old GCS Categories>Sun Microsystems>Servers>OPL Servers
  •  


IPSEC error messages on DSCP network between XSCF and Domain

In this Document
Symptoms
Cause
Solution
References


Created from <SR 3-5504080344>

Applies to:

Sun SPARC Enterprise M4000 Server - Version Not Applicable and later
Sun SPARC Enterprise M5000 Server - Version Not Applicable and later
Sun SPARC Enterprise M8000 Server - Version Not Applicable and later
Sun SPARC Enterprise M9000-32 Server - Version Not Applicable and later
Sun SPARC Enterprise M9000-64 Server - Version Not Applicable and later
Information in this document applies to any platform.

Symptoms

The domain is reporting the following messages in the /var/adm/messages file:

Mar 25 10:40:52 XXXXX ip: [ID 372019 kern.error] ipsec_check_inbound_policy: Policy Failure for the incoming packet (not secure); Source 010.001.001.001, Destination 010.001.001.002.
Mar 25 10:47:19 XXXXX last message repeated 65 times
Mar 25 10:47:30 XXXXX ip: [ID 372019 kern.error] ipsec_check_inbound_policy: Policy Failure for the incoming packet (not secure); Source 010.001.001.001, Destination 010.001.001.002.
Mar 25 10:54:08 XXXXX last message repeated 67 times

Where the Source and Destination is the DSCP network between the Domain and XSCF.

Cause


Where the problem is : XSCF sends the packet without AH header. Such packets are correctly logged and dropped by the domain. It is a bug in the XSCF software.

Please see CR 7012224

Solution


Verify that this is the DSCP network by looking at ifconfig. See example

From the ifconfig -a

sppp0: flags=10010008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4,FIXEDMTU> mtu 1500 index 8
inet 10.1.1.2 --> 10.1.1.1 netmask ff000000
ether 0:0:0:0:0:0

Verify that we are actively trying to establish the connection using netstat.

The netstat -an show:
==================
10.1.1.2.12          10.1.1.1.24              0      0 49560      0 SYN_SENT
(SYN_SENT        Actively trying to establish connection.)

Verify that the DSCP service is online

fmri         svc:/platform/sun4u/dscp:default
name         DSCP Service
enabled      true
state        online
next_state   none
state_time   Fri Feb 10 14:20:31 2012

This is caused by : CR: 7012224 XSCF sends Rst packets without AH header when dscp service is restarted on domain.

Verify that you are below XCP version 1110 by issuing the command "version -c xcp"
on the XSCF.

If this is true, install XCP version 1110 on the xscf. Be aware that Enterprise Management Ops Center must not be configured to harvest data from the XSCF as this can cause the XSCF
to become unaccessible. This bug will be fixed in a later revision of Ops Center.

Please reference the following document to learn more about Troubleshoting DSCP Issues:
Troubleshooting the DSCP Service on Sun SPARC(R) Enterprise M3000/M4000/M5000/M8000/M9000 Servers <Document 1009921.1>


Please reference the following document to learn about XCP versions and where to find them :
Sun SPARC[TM] Enterprise M3000, M4000, M5000, M8000, M9000 XSCF Control Package (XCP) Firmware Image Software Version Matrix Information <Document 1002631.1>

References


Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback