Asset ID: |
1-72-1446655.1 |
Update Date: | 2012-08-30 |
Keywords: | |
Solution Type
Problem Resolution Sure
Solution
1446655.1
:
DSCP : ipsec_check_inbound_policy: Policy Failure for the incoming packet (not secure);
Related Items |
- Sun SPARC Enterprise M9000-64 Server
- Sun SPARC Enterprise M9000-32 Server
- Sun SPARC Enterprise M8000 Server
- Sun SPARC Enterprise M4000 Server
- Sun SPARC Enterprise M5000 Server
- Sun SPARC Enterprise M3000 Server
|
Related Categories |
- PLA-Support>Sun Systems>SPARC>Enterprise>SN-SPARC: Mx000
- .Old GCS Categories>Sun Microsystems>Servers>OPL Servers
|
IPSEC error messages on DSCP network between XSCF and Domain
In this Document
Created from <SR 3-5504080344>
Applies to:
Sun SPARC Enterprise M4000 Server - Version Not Applicable and later
Sun SPARC Enterprise M5000 Server - Version Not Applicable and later
Sun SPARC Enterprise M8000 Server - Version Not Applicable and later
Sun SPARC Enterprise M9000-32 Server - Version Not Applicable and later
Sun SPARC Enterprise M9000-64 Server - Version Not Applicable and later
Information in this document applies to any platform.
Symptoms
The domain is reporting the following messages in the /var/adm/messages file:
Mar 25 10:40:52 XXXXX ip: [ID 372019 kern.error] ipsec_check_inbound_policy: Policy Failure for the incoming packet (not secure); Source 010.001.001.001, Destination 010.001.001.002.
Mar 25 10:47:19 XXXXX last message repeated 65 times
Mar 25 10:47:30 XXXXX ip: [ID 372019 kern.error] ipsec_check_inbound_policy: Policy Failure for the incoming packet (not secure); Source 010.001.001.001, Destination 010.001.001.002.
Mar 25 10:54:08 XXXXX last message repeated 67 times
Where the Source and Destination is the DSCP network between the Domain and XSCF.
Cause
Where the problem is : XSCF sends the packet without AH header. Such packets are correctly logged and dropped by the domain. It is a bug in the XSCF software.
Please see CR 7012224
Solution
Verify that this is the DSCP network by looking at ifconfig. See example
From the ifconfig -a
sppp0: flags=10010008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4,FIXEDMTU> mtu 1500 index 8
inet 10.1.1.2 --> 10.1.1.1 netmask ff000000
ether 0:0:0:0:0:0
Verify that we are actively trying to establish the connection using netstat.
The netstat -an show:
==================
10.1.1.2.12 10.1.1.1.24 0 0 49560 0 SYN_SENT
(SYN_SENT Actively trying to establish connection.)
Verify that the DSCP service is online
fmri svc:/platform/sun4u/dscp:default
name DSCP Service
enabled true
state online
next_state none
state_time Fri Feb 10 14:20:31 2012
This is caused by : CR: 7012224 XSCF sends Rst packets without AH header when dscp service is restarted on domain.
Verify that you are below XCP version 1110 by issuing the command "version -c xcp"
on the XSCF.
If this is true, install XCP version 1110 on the xscf. Be aware that Enterprise Management Ops Center must not be configured to harvest data from the XSCF as this can cause the XSCF
to become unaccessible. This bug will be fixed in a later revision of Ops Center.
Please reference the following document to learn more about Troubleshoting DSCP Issues:
Troubleshooting the DSCP Service on Sun SPARC(R) Enterprise M3000/M4000/M5000/M8000/M9000 Servers <Document 1009921.1>
Please reference the following document to learn about XCP versions and where to find them :
Sun SPARC[TM] Enterprise M3000, M4000, M5000, M8000, M9000 XSCF Control Package (XCP) Firmware Image Software Version Matrix Information <Document 1002631.1>
References
Attachments
This solution has no attachment