IPSEC

aluIPsecTunnelAuthFailure

Table 1. aluIPsecTunnelAuthFailure properties

Property name

Value

Application name

IPSEC

Event ID

2014

Event name

aluIPsecTunnelAuthFailure

SNMP notification prefix and OID

ALU-IPSEC-MIB.aluIPsecNotifications.1

Default severity

minor

Message format string

Tunnel $aluIPsecTunnelName failed authentication.

Cause

The trap aluIPsecTunnelAuthFailure is sent when there is an authentication failure to bring up an IPsec tunnel.

Effect

The IPsec tunnel does not becom in service.

Recovery

Correct authentication parameters mismatch.

aluIPsecTunnelMalformedMessage

Table 2. aluIPsecTunnelMalformedMessage properties

Property name

Value

Application name

IPSEC

Event ID

2016

Event name

aluIPsecTunnelMalformedMessage

SNMP notification prefix and OID

ALU-IPSEC-MIB.aluIPsecNotifications.3

Default severity

minor

Message format string

Received a malformed message for tunnel $aluIPsecTunnelName.

Cause

The trap aluIPsecTunnelMalformedMessage is sent when there is an IKE message with a malformed message or missing payload.

Effect

The IPsec tunnel does not becom in service.

Recovery

A mismatched configuration between IPsec tunnel endpoints can cause the responder to send an IKE message with missing or unexpected payloads. Check IPsec logs on both ends and correct any issues.

aluIPsecTunnelMalformedPayload

Table 3. aluIPsecTunnelMalformedPayload properties

Property name

Value

Application name

IPSEC

Event ID

2015

Event name

aluIPsecTunnelMalformedPayload

SNMP notification prefix and OID

ALU-IPSEC-MIB.aluIPsecNotifications.2

Default severity

minor

Message format string

Received a malformed payload for tunnel $aluIPsecTunnelName.

Cause

The trap aluIPsecTunnelMalformedPayload is sent when there is an IKE message with a malformed payload.

Effect

The IPsec tunnel does not becom in service.

Recovery

A mismatched configuration between IPsec tunnel endpoints can cause the responder to send an IKE message with missing or unexpected payloads. Check IPsec logs on both ends and correct any issues.

aluIPsecTunnelTransformMismatch

Table 4. aluIPsecTunnelTransformMismatch properties

Property name

Value

Application name

IPSEC

Event ID

2017

Event name

aluIPsecTunnelTransformMismatch

SNMP notification prefix and OID

ALU-IPSEC-MIB.aluIPsecNotifications.4

Default severity

minor

Message format string

Tunnel $aluIPsecTunnelName has mismatched transform.

Cause

The trap aluIPsecTurnnelTransformMismatch is sent when there is an mismatch between IPSec transforms.

Effect

The IPsec tunnel does not becom in service.

Recovery

A mismatched configuration between IPsec tunnel endpoints could be the cause. Check IPsec logs on both ends and correct any issues.

tIPsecBfdIntfSessStateChgd

Table 5. tIPsecBfdIntfSessStateChgd properties

Property name

Value

Application name

IPSEC

Event ID

2003

Event name

tIPsecBfdIntfSessStateChgd

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.3

Default severity

minor

Message format string

BFD session on service $tIPsecNotifBfdIntfSvcId$ interface $tIPsecNotifBfdIntfIfName$ to peer $tIPsecNotifBfdIntfDestIp$ changed state to $tIPsecNotifBfdIntfSessState$.

Cause

The operational state of a BFD session of the IPsec instance changed.

Effect

None.

Recovery

No recovery is necessary.

tIPsecRadAcctPlcyFailure

Table 6. tIPsecRadAcctPlcyFailure properties

Property name

Value

Application name

IPSEC

Event ID

2004

Event name

tIPsecRadAcctPlcyFailure

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.4

Default severity

minor

Message format string

Failed to send RADIUS accounting request for policy $tIPsecRadAcctPlcyName$ due to: $tIPsecRadAcctPlcyFailReason$

Cause

The tIPsecRadAcctPlcyFail notification is generated when a RADIUS accounting request was not sent out successfully to any of the RADIUS servers in the indicated accounting policy.

Effect

The RADIUS server may not receive the accounting information.

Recovery

Depending on the reason indicated as per 'tIPsecRadAcctPlcyFailReason', 'tIPsecRadAcctPlcyTable' configuration may need to be changed.

tIPsecRUSAFailToAddRoute

Table 7. tIPsecRUSAFailToAddRoute properties

Property name

Value

Application name

IPSEC

Event ID

2002

Event name

tIPsecRUSAFailToAddRoute

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.2

Default severity

warning

Message format string

IPsec Remote-User tunnel $tIPsecRUTnlInetAddress$:$tIPsecRUTnlPort$ failed to add route to $tIPsecRUSARemAddr$/$tIPsecRUSARemAPrefLen$ because $tIPsecNotifReason$.

Cause

The event is generated when creation of a remote-user tunnel fails.

Effect

None.

Recovery

No recovery is necessary.

tIPsecRuTnlEncapIpMtuTooSmall

Table 8. tIPsecRuTnlEncapIpMtuTooSmall properties

Property name

Value

Application name

IPSEC

Event ID

2007

Event name

tIPsecRuTnlEncapIpMtuTooSmall

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.7

Default severity

warning

Message format string

Addition of tunnel encapsulation at IPsec remote user tunnel on SAP: $sapEncapValue$, service:$svcId$ for IP address $tIPsecNotifRUTnlInetAddress$: $tIPsecNotifRUTnlPort$ with configured MTU of $tIPsecNotifConfigIpMtu$, having encapsulated MTU of $tIPsecNotifConfigEncapIpMtu$ has an overhead of $tIPsecNotifEncapOverhead$.

Cause

The tIPsecRuTnlEncapIpMtuTooSmall notification is generated when the addition of tunnel encapsulation to a packet at or near the IPsec remote user tunnel's configured IP MTU may cause it to exceed the tunnel's configured encapsulated IP MTU.

Effect

The pre-encapsulated packet may be fragmented, and will require reassembly by the tunnel remote endpoint, causing a performance impact.

Recovery

Configured IP MTU and/or encapsulated IP MTU may need to be changed depending on the size of the encapsulation overhead as indicated in 'tIPsecNotifEncapOverhead', and the transmission capabilities of the tunnel's transport network.

tIPsecRUTnlFailToCreate

Table 9. tIPsecRUTnlFailToCreate properties

Property name

Value

Application name

IPSEC

Event ID

2001

Event name

tIPsecRUTnlFailToCreate

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.1

Default severity

warning

Message format string

Creation of an IPsec Remote-User tunnel $tIPsecNotifRUTnlInetAddress$:$tIPsecNotifRUTnlPort$ on SAP: $sapEncapValue$, service:$svcId$ failed because $tIPsecNotifReason$.

Cause

The event is generated when creation of a remote-user tunnel fails.

Effect

None.

Recovery

No recovery is necessary.

tIPsecRUTnlRemoved

Table 10. tIPsecRUTnlRemoved properties

Property name

Value

Application name

IPSEC

Event ID

2013

Event name

tIPsecRUTnlRemoved

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.13

Default severity

minor

Message format string

IPsec Remote-User tunnel $tIPsecNotifRUTnlInetAddress$:$tIPsecNotifRUTnlPort$ on SAP: $sapEncapValue$, service:$svcId$ was removed because $tIPsecNotifReason$.

Cause

A tIPsecRUTnlRemoved notification is generated when a remote-user tunnel is removed under certain reasons, which are indicated by tIPsecNotifReason (e.g., failed to renew private address lease with DHCP server).

Effect

The IPsec tunnel becomes operationally out of service.

Recovery

N/A

tIPSecTrustAnchorPrfOprChg

Table 11. tIPSecTrustAnchorPrfOprChg properties

Property name

Value

Application name

IPSEC

Event ID

2005

Event name

tIPSecTrustAnchorPrfOprChg

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.5

Default severity

minor

Message format string

$tIPsecTrustAnchorCAProfDown$ of the configured trust-anchors in profile $tIPsecTrustAnchorProfName$ are not operational

Cause

The tIPSecTrustAnchorPrfOprChg notification is generated when not all of the trust-anchors in a profile are operational.

Effect

Authentication of tunnels configured with the trust-anchor-profile will fail if the trusted CA (Certificate Authority) in the certificate chain is not operational.

Recovery

Bring the trusted CA-profile operational up.

tIPsecTunnelEncapIpMtuTooSmall

Table 12. tIPsecTunnelEncapIpMtuTooSmall properties

Property name

Value

Application name

IPSEC

Event ID

2006

Event name

tIPsecTunnelEncapIpMtuTooSmall

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.6

Default severity

warning

Message format string

Addition of tunnel encapsulation at IPsec static tunnel $tIPsecNotifIPsecTunnelName$ on SAP:$sapEncapValue$, service: $svcId$ with configured MTU of $tIPsecNotifConfigIpMtu$, having encapsulated MTU of $tIPsecNotifConfigEncapIpMtu$ has an overhead of $tIPsecNotifEncapOverhead$

Cause

The tIPsecTunnelEncapIpMtuTooSmall notification is generated when the addition of tunnel encapsulation to a packet at or near the IPsec static tunnel's configured IP MTU may cause it to exceed the tunnel's configured encapsulated IP MTU.

Effect

The pre-encapsulated packet may be fragmented, and will require reassembly by the tunnel remote endpoint, causing a performance impact.

Recovery

Configured IP MTU and/or encapsulated IP MTU may need to be changed depending on the size of the encapsulation overhead as indicated in 'tIPsecNotifEncapOverhead', and the transmission capabilities of the tunnel's transport network.

tmnxIPsecGWOperStateChange

Table 13. tmnxIPsecGWOperStateChange properties

Property name

Value

Application name

IPSEC

Event ID

2012

Event name

tmnxIPsecGWOperStateChange

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.12

Default severity

minor

Message format string

Operational state change for IPsec Gateway $tmnxIPsecGWName$ on service $svcId$ and SAP $sapEncapValue$, admin state: $tmnxIPsecGWAdminState$, oper state: $tmnxIPsecGWOperState$, oper flags: $tmnxIPsecGWOperFlags$

Cause

The tmnxIPsecGWOperStateChange notification is generated when there is a state change in tmnxIPsecGWOperState for an IPsec gateway.

Effect

When the value of tmnxIPsecGWOperState is 'outOfService (3)', the IPesc gateway is operationally down and it is not ready to negotiate IKE sessions with remote clients. When the value of tmnxIPsecGWOperState is 'inService (2)', the IPsec gateway is operationally up. When the value of tmnxIPsecGWOperState is 'hold (5)', the IPsec gateway is operationally up but not ready to negotiate any new IKE sessions with remote clients.

Recovery

Please refer to tmnxIPsecGWOperFlags for information on why the gateway is operationally down.

tmnxIPsecTunnelOperStateChange

Table 14. tmnxIPsecTunnelOperStateChange properties

Property name

Value

Application name

IPSEC

Event ID

2011

Event name

tmnxIPsecTunnelOperStateChange

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.11

Default severity

minor

Message format string

Operational state change for IPsec Tunnel $tmnxIPsecTunnelName$ on service $svcId$ and SAP $sapEncapValue$, admin state: $tmnxIPsecTunnelAdminState$, oper state: $tmnxIPsecTunnelOperState$, oper flags: $tmnxIPsecTunnelOperFlags$

Cause

The tmnxIPsecTunnelOperStateChange notification is generated when there is a change in tmnxIPsecTunnelOperState for an IPsec tunnel.

Effect

When the value of tmnxIPsecTunnelOperState is 'outOfService (3)', the IPesc tunnel is operationally down and traffic arriving at the tunnel endpoints will not be encapsulated and transported. When the value of tmnxIPsecTunnelOperState is 'inService (2)', the IPsec tunnel is operationally up. When the value of tmnxIPsecGWOperState is 'hold (5)', the IPsec tunnel is operationally up but not ready to re-establish the connection until the conditions indicated in the tmnxIPsecTunnelOperFlags are cleared.

Recovery

Please refer to tmnxIPsecTunnelOperFlags for information on why the tunnel is operationally down.

tmnxSecNotifCmptedCertChnChngd

Table 15. tmnxSecNotifCmptedCertChnChngd properties

Property name

Value

Application name

IPSEC

Event ID

2009

Event name

tmnxSecNotifCmptedCertChnChngd

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.9

Default severity

minor

Message format string

Certificate chain changed to $tIPsecNotifCaProfNames$ in cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$

Cause

The tmnxSecNotifCmptedCertChnChngd notification is generated when a computed certificate chain is changed due to a dependent CA profile being changed and brought into service.

Effect

The hash of the recomputed certificate chain, if changed, will be used for choosing cert-profile entry during new IPsec tunnel establishment.

Recovery

If the changed CA certificate is used as a trust-anchor at the peer, then the certificate should be updated at the peer as well to ensure correct cert-profile entry selection.

tmnxSecNotifCmptedCertHashChngd

Table 16. tmnxSecNotifCmptedCertHashChngd properties

Property name

Value

Application name

IPSEC

Event ID

2008

Event name

tmnxSecNotifCmptedCertHashChngd

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.8

Default severity

minor

Message format string

Hash of certificate chain changed in cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$ due to CA profile $tIPsecNotifCaProfNames$

Cause

The tmnxSecNotifCmptedCertHashChngd notification is generated when the hash of a certificate chain is changed.

Effect

The hash of the recomputed certificate chain will be used for choosing cert-profile entry during new IPsec tunnel establishment.

Recovery

If the changed CA certificate is used as a trust-anchor at the peer, then the certificate should be updated at the peer as well to ensure correct cert-profile entry selection.

tmnxSecNotifSendChnNotInCmptChn

Table 17. tmnxSecNotifSendChnNotInCmptChn properties

Property name

Value

Application name

IPSEC

Event ID

2010

Event name

tmnxSecNotifSendChnNotInCmptChn

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.10

Default severity

minor

Message format string

Send-chain CA profile $tIPsecNotifCaProfNames$ not in the computed certificate chain of cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$

Cause

The tmnxSecNotifSendChnNotInCmptChn notification is generated when a CA profile not belonging to the computed certificate chain is added to the send-chain of a cert-profile entry, or the certificate chain is changed such that a CA-profile in the send-chain is no longer a member of the chain.

Effect

The CA certificate(s) to be sent to the peer is not a member of the certificate chain that is requested by the peer for new IPsec tunnel establishment.

Recovery

Replace the send-chain CA profile that is not in the certificate chain with one that is.