Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
481482483484485486487488489490
92
Sessions:
Peer address : 100.1.1.100
Peer version : 1.0
Peer priority : 10000
Peer role : Primary
Peer status : Ready
Troubleshooting group domain VPN
IKE SA negotiation failure
Symptom
Phase 1 IKE negotiation failed.
Analysis
If the failure occurred between GM and KS, the IKE configurations on the GM and KS do not match, or
the GM and KS cannot reach each other.
If the failure occurred between KSs, the IKE configurations on the KSs do not match, or the KSs cannot
reach each other.
Use the following command on the GM. The output shows no IKE SAs have been generated.
<Router> display ike sa
total phase-1 SAs: 0
connection-id peer flag phase doi
----------------------------------------------------------------
Solution
If the failure occurred between GM and KS, verify that the IKE proposal and IKE peer configurations on
the GM and the KS match, and that the GM and the KS can reach each other.
If the failure occurred between KSs, verify that the IKE proposal and IKE peer configurations on the KSs
match, and that the KSs can reach each other.
GM registration failure
Symptom
The GM failed to register with the KS.
Analysis
Execute the following command on the GM:
<Router> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------------
18 90.1.1.1 RD|ST 1 GROUP
The output shows that only one IKE SA has been generated. No rekey SA and IPsec SA have been
generated.