display ike error-info

current info Num

Current information number.

Ike error information

Information about IPSec tunnel negotiation failures using IKE.

current ike Error-info number

Number of IPSec tunnel negotiation failures using IKE.

peer or Peer

Remote IP address.

port or Port

Peer UDP port number.

error-reason or Reason

Causes for IPSec tunnel negotiation failures using IKE:

• phase1 proposal mismatch: IKE proposal parameters of the two ends do not match.
• phase2 proposal or pfs mismatch: IPSec proposal parameters, pfs algorithm, or security ACL of the two ends do not match.
• responder dh mismatch: The DH algorithm of the responder does not match.
• initiator dh mismatch: The DH algorithm of the initiator does not match.
• encapsulation mode mismatch: The encapsulation mode does not match.
• flow or peer mismatch: The security ACL or IKE peer address of the two ends does not match.
• version mismatch: The IKE version number of the two ends does not match.
• peer address mismatch: The IKE peer address of the two ends does not match.
• config ID mismatch: The IKE peer of the specified ID is not found.
• exchange mode mismatch: The negotiation mode of the two ends does not match.
• authentication fail: Identity authentication fails.
• construct local ID fail: The local ID fails to be constructed.
• rekey no find old sa: The old SA is not found during re-negotiation.
• rekey fail: The old SA is going offline during re-negotiation.
• first packet limited: The rate of the first packet is limited.
• unsupported version: The IKE version number is not supported.
• malformed message: Malformed message.
• malformed payload: Malformed payload.
• critical drop: Unidentified critical payload.
• cookie mismatch: Cookie mismatch.
• invalid cookie: Invalid cookie.
• invalid length: Invalid packet length.
• unknown exchange type: Unknown negotiation mode.
• uncritical drop: Unidentified non-critical payload.
• route limit: The number of injected routes has reached the upper limit.
• ip assigned fail: IP address allocation fails.
• eap authentication timeout: EAP authentication times out.
• eap authentication fail: EAP authentication fails.
• xauth authentication fail: XAUTH authentication fails.
• xauth authentication timeout: XAUTH authentication timeout.
• license or specification limited: License limit.
• local address mismatch: The local IP address in IKE negotiation and interface IP address do not match.
• dynamic peers number reaches limitation: The number of IKE peers reaches the upper limit.
• ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit.
• netmask mismatch: The mask does not match the configured mask after the IPSec mask filtering function is enabled.
• flow conflict: A data flow conflict occurs.
• proposal mismatch or use sm in ikev2: IPSec proposals at both ends of the IPSec tunnel do not match or IKEv2 uses the SM algorithm.
• ikev2 not support sm in ipsec proposal ikev2: IKEv2 does not support the SM algorithm used in the IPSec proposal.
• no policy applied on interface: No policy is applied to an interface.
• nat detection fail: NAT detailed failed.
• fragment packet limit: Fragment packets exceed the limit.
• fragment packet reassemble timeout: Fragment packet reassembly times out.

version

IKE version.

Error-time/error-time

Time of IPSec tunnel negotiation failures using IKE.

Detail

Details about IPSec tunnel negotiation failures using IKE.

• phase1 proposal mismatch: IKE proposal parameters of the two ends do not match.
• phase2 proposal or pfs mismatch: IPSec proposal parameters, pfs algorithm, or security ACL of the two ends do not match.
• responder dh mismatch: The DH algorithm of the responder does not match.
• initiator dh mismatch: The DH algorithm of the initiator does not match.
• encapsulation mode mismatch: The encapsulation mode does not match.
• flow or peer mismatch: The security ACL or IKE peer address of the two ends does not match.
• version mismatch: The IKE version number of the two ends does not match.
• peer address mismatch: The IKE peer address of the two ends does not match.
• config ID mismatch: The IKE peer of the specified ID is not found.
• exchange mode mismatch: The negotiation mode of the two ends does not match.
• authentication fail: Identity authentication fails.
• construct local ID fail: The local ID fails to be constructed.
• rekey no find old sa: The old SA is not found during re-negotiation.
• rekey fail: The old SA is going offline during re-negotiation.
• first packet limited: The rate of the first packet is limited.
• unsupported version: The IKE version number is not supported.
• malformed message: Malformed message.
• malformed payload: Malformed payload.
• critical drop: Unidentified critical payload.
• cookie mismatch: Cookie mismatch.
• invalid cookie: Invalid cookie.
• invalid length: Invalid packet length.
• unknown exchange type: Unknown negotiation mode.
• uncritical drop: Unidentified non-critical payload.
• route limit: The number of injected routes has reached the upper limit.
• ip assigned fail: IP address allocation fails.
• eap authentication timeout: EAP authentication times out.
• eap authentication fail: EAP authentication fails.
• xauth authentication fail: XAUTH authentication fails.
• xauth authentication timeout: XAUTH authentication timeout.
• license or specification limited: License limit.
• local address mismatch: The local IP address in IKE negotiation and interface IP address do not match.
• dynamic peers number reaches limitation: The number of IKE peers reaches the upper limit.
• ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit.
• netmask mismatch: The mask does not match the configured mask after the IPSec mask filtering function is enabled.
• flow conflict: A data flow conflict occurs.
• proposal mismatch or use sm in ikev2: IPSec proposals at both ends of the IPSec tunnel do not match or IKEv2 uses the SM algorithm.
• ikev2 not support sm in ipsec proposal ikev2: IKEv2 does not support the SM algorithm used in the IPSec proposal.
• no policy applied on interface: No policy is applied to an interface.
• nat detection fail: NAT detailed failed.
• fragment packet limit: Fragment packets exceed the limit.
• fragment packet reassemble timeout: Fragment packet reassembly times out.

• receive phase1 proposal mismatch: The received IKE proposal parameters do not match the local parameters.
• receive phase2 proposal mismatch: The received IPSec proposal parameters do not match the local parameters.
• phase2 proposal mismatch: IPSec proposal parameters on both ends do not match.
• receive flow or peer mismatch: The received security ACL or IKE peer address does not match the local one.
• (peer local or tunnel local or interface) address mismatch: The peer's local IP address, local tunnel IP address or interface IP address does not match the local one.
• remote auth method mismatch: The peer authentication method does not match.
• proc cert fail or inband cert validate fail: Failed to process or verify the certificate.
• outband cert validate fail(rsa-signature): Certificate verification failed during RSA signature authentication.
• hash value not equal(pre-share-key): The hash values are different during pre-shared key authentication.
• hash value not equal(digital-envelope): The hash values are different during digital signature authentication.
• verify sig data fail(rsa-signature): Failed to verify the signature.
• proc auth payload fail(pre-share-key): Failed to process the authentication payload during pre-shared key authentication.
• proc auth payload fail(rsa-signature): Failed to process the authentication payload during RSA signature authentication.
• proc auth payload fail(eap): Failed to process the authentication payload during IKEv2 EAP authentication.
• recv peer auth fail notification: An authentication failure notification from the peer end is received.
• recv peer auth fail notification(pre-share-key): An authentication failure notification from the peer end is received during pre-shared key authentication.
• recv peer auth fail notification(rsa-signature): An authentication failure notification from the peer end is received during RSA signature authentication.
• recv peer auth fail notification(digital-envelope): An authentication failure notification from the peer end is received during digital signature authentication.
• recv peer auth fail notification(eap): An authentication failure notification from the peer end is received during IKEv2 EAP authentication.
• proc and auth ID payload fail(pre-share-key): The peer ID fails to be authenticated during pre-shared key authentication.
• proc and auth ID payload fail(rsa-signature): The peer ID fails to be authenticated during RSA signature authentication.
• proc and auth ID payload fail(eap): The peer ID fails to be authenticated during IKEv2 EAP authentication.
• can not find key by cert: Failed to obtain the key pair corresponding to the certificate.
• the cert is not valid: The certificate is invalid.
• cert revoked by CRL: The certificate is revoked by the CRL.
• unable to get issuer cert: The issuer cannot be found.
• ocsp valid fail: Failed to check the certificate online.
• cert filter check mismatch: The certificate filtering verification does not match.
• no corresponding CRL: No corresponding CRL exists.
• inband cert validate fail: Failed to verify the certificate.
• cert PKI whitelist valid fail: Failed to verify the PKI certificate whitelist.
• receive proposal mismatch or use sm in ikev2: The received IPSec proposal parameters do not match the local parameters or IKEv2 uses the SM algorithm.