IPSEC
tIPsecBfdIntfSessStateChgd
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2003 |
Event name | tIPsecBfdIntfSessStateChgd |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.3 |
Default severity | minor |
Message format string | BFD session on service $tIPsecNotifBfdIntfSvcId$ interface $tIPsecNotifBfdIntfIfName$ to peer $tIPsecNotifBfdIntfDestIp$ changed state to $tIPsecNotifBfdIntfSessState$. |
Cause | The operational state of a BFD session of the IPsec instance changed. |
Effect | None. |
Recovery | No recovery is necessary. |
tIPsecRadAcctPlcyFailure
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2004 |
Event name | tIPsecRadAcctPlcyFailure |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.4 |
Default severity | minor |
Message format string | Failed to send RADIUS accounting request for policy $tIPsecRadAcctPlcyName$ due to: $tIPsecRadAcctPlcyFailReason$ |
Cause | The tIPsecRadAcctPlcyFail notification is generated when a RADIUS accounting request was not sent out successfully to any of the RADIUS servers in the indicated accounting policy. |
Effect | The RADIUS server may not receive the accounting information. |
Recovery | Depending on the reason indicated as per 'tIPsecRadAcctPlcyFailReason', 'tIPsecRadAcctPlcyTable' configuration may need to be changed. |
tIPsecRUSAFailToAddRoute
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2002 |
Event name | tIPsecRUSAFailToAddRoute |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.2 |
Default severity | warning |
Message format string | IPsec Remote-User tunnel $tIPsecRUTnlInetAddress$:$tIPsecRUTnlPort$ failed to add route to $tIPsecRUSARemAddr$/$tIPsecRUSARemAPrefLen$ because $tIPsecNotifReason$. |
Cause | The event is generated when creation of a remote-user tunnel fails. |
Effect | None. |
Recovery | No recovery is necessary. |
tIPsecRuTnlEncapIpMtuTooSmall
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2007 |
Event name | tIPsecRuTnlEncapIpMtuTooSmall |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.7 |
Default severity | warning |
Message format string | Addition of tunnel encapsulation at IPsec remote user tunnel on SAP: $sapEncapValue$, service:$svcId$ for IP address $tIPsecNotifRUTnlInetAddress$: $tIPsecNotifRUTnlPort$ with configured MTU of $tIPsecNotifConfigIpMtu$, having encapsulated MTU of $tIPsecNotifConfigEncapIpMtu$ has an overhead of $tIPsecNotifEncapOverhead$. |
Cause | The tIPsecRuTnlEncapIpMtuTooSmall notification is generated when the addition of tunnel encapsulation to a packet at or near the IPsec remote user tunnel's configured IP MTU may cause it to exceed the tunnel's configured encapsulated IP MTU. |
Effect | The pre-encapsulated packet may be fragmented, and will require reassembly by the tunnel remote endpoint, causing a performance impact. |
Recovery | Configured IP MTU and/or encapsulated IP MTU may need to be changed depending on the size of the encapsulation overhead as indicated in 'tIPsecNotifEncapOverhead', and the transmission capabilities of the tunnel's transport network. |
tIPsecRUTnlFailToCreate
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2001 |
Event name | tIPsecRUTnlFailToCreate |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.1 |
Default severity | warning |
Message format string | Creation of an IPsec Remote-User tunnel $tIPsecNotifRUTnlInetAddress$:$tIPsecNotifRUTnlPort$ on SAP: $sapEncapValue$, service:$svcId$ failed because $tIPsecNotifReason$. |
Cause | The event is generated when creation of a remote-user tunnel fails. |
Effect | None. |
Recovery | No recovery is necessary. |
tIPsecRUTnlRemoved
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2013 |
Event name | tIPsecRUTnlRemoved |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.13 |
Default severity | minor |
Message format string | IPsec Remote-User tunnel $tIPsecNotifRUTnlInetAddress$:$tIPsecNotifRUTnlPort$ on SAP: $sapEncapValue$, service:$svcId$ was removed because $tIPsecNotifReason$. |
Cause | A tIPsecRUTnlRemoved notification is generated when a remote-user tunnel is removed under certain reasons, which are indicated by tIPsecNotifReason (e.g., failed to renew private address lease with DHCP server). |
Effect | The IPsec tunnel becomes operationally out of service. |
Recovery | N/A |
tIPSecTrustAnchorPrfOprChg
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2005 |
Event name | tIPSecTrustAnchorPrfOprChg |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.5 |
Default severity | minor |
Message format string | $tIPsecTrustAnchorCAProfDown$ of the configured trust-anchors in profile $tIPsecTrustAnchorProfName$ are not operational |
Cause | The tIPSecTrustAnchorPrfOprChg notification is generated when not all of the trust-anchors in a profile are operational. |
Effect | Authentication of tunnels configured with the trust-anchor-profile will fail if the trusted CA (Certificate Authority) in the certificate chain is not operational. |
Recovery | Bring the trusted CA-profile operational up. |
tIPsecTunnelEncapIpMtuTooSmall
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2006 |
Event name | tIPsecTunnelEncapIpMtuTooSmall |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.6 |
Default severity | warning |
Message format string | Addition of tunnel encapsulation at IPsec static tunnel $tIPsecNotifIPsecTunnelName$ on SAP:$sapEncapValue$, service: $svcId$ with configured MTU of $tIPsecNotifConfigIpMtu$, having encapsulated MTU of $tIPsecNotifConfigEncapIpMtu$ has an overhead of $tIPsecNotifEncapOverhead$ |
Cause | The tIPsecTunnelEncapIpMtuTooSmall notification is generated when the addition of tunnel encapsulation to a packet at or near the IPsec static tunnel's configured IP MTU may cause it to exceed the tunnel's configured encapsulated IP MTU. |
Effect | The pre-encapsulated packet may be fragmented, and will require reassembly by the tunnel remote endpoint, causing a performance impact. |
Recovery | Configured IP MTU and/or encapsulated IP MTU may need to be changed depending on the size of the encapsulation overhead as indicated in 'tIPsecNotifEncapOverhead', and the transmission capabilities of the tunnel's transport network. |
tIPsecTunnelProtocolFailed
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2014 |
Event name | tIPsecTunnelProtocolFailed |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.14 |
Default severity | minor |
Message format string | IPsec tunnel $tIPsecNotifTunnelIdentifier$ of type $tIPsecNotifTunnelType$ had an abnormal protocol event due to $tIPsecNotifReason$. |
Cause |
A tIPsecTunnelProtocolFailed notification is generated when a whenever there is abnormal event from protocol perspective to the tunnel, which are indicated by tIPsecNotifReason (e.g., tunnel encounters a dpd-timeout, or no-proposal-chosen during rekey, etc). |
Effect | These abnormal events don't always necessarily cause the tunnel to change its operational-status or to be removed. |
Recovery | Please refer to operational-flags of the tunnel for more information. |
tmnxIPsecGWOperStateChange
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2012 |
Event name | tmnxIPsecGWOperStateChange |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.12 |
Default severity | minor |
Message format string | Operational state change for IPsec Gateway $tmnxIPsecGWName$ on service $svcId$ and SAP $sapEncapValue$, admin state: $tmnxIPsecGWAdminState$, oper state: $tmnxIPsecGWOperState$, oper flags: $tmnxIPsecGWOperFlags$ |
Cause |
The tmnxIPsecGWOperStateChange notification is generated when there is a state change in tmnxIPsecGWOperState for an IPsec gateway. |
Effect | When the value of tmnxIPsecGWOperState is 'outOfService (3)', the IPsec gateway is operationally down and it is not ready to negotiate IKE sessions with remote clients. When the value of tmnxIPsecGWOperState is 'inService (2)', the IPsec gateway is operationally up. When the value of tmnxIPsecGWOperState is 'limited (5)', the IPsec gateway is not fully operationally up due to the conditions indicated in tmnxIPsecTunnelOperFlags and can only negotiate limited new IKE sessions. |
Recovery | Please refer to tmnxIPsecGWOperFlags for information on why the gateway is operationally down. |
tmnxIPsecTunnelOperStateChange
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2011 |
Event name | tmnxIPsecTunnelOperStateChange |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.11 |
Default severity | minor |
Message format string | Operational state change for IPsec Tunnel $tmnxIPsecTunnelName$ on service $svcId$ and SAP $sapEncapValue$, admin state: $tmnxIPsecTunnelAdminState$, oper state: $tmnxIPsecTunnelOperState$, oper flags: $tmnxIPsecTunnelOperFlags$ |
Cause |
The tmnxIPsecTunnelOperStateChange notification is generated when there is a change in tmnxIPsecTunnelOperState for an IPsec tunnel. |
Effect | When the value of tmnxIPsecTunnelOperState is 'outOfService (3)', the IPsec tunnel is operationally down and traffic arriving at the tunnel endpoints will not be encapsulated and transported. When the value of tmnxIPsecTunnelOperState is 'inService (2)', the IPsec tunnel is operationally up. When the value of tmnxIPsecGWOperState is 'limited (5)', the IPsec tunnel is operationally up but may not be ready to re-establish the connection until the conditions indicated in the tmnxIPsecTunnelOperFlags are cleared. |
Recovery | Please refer to tmnxIPsecTunnelOperFlags for information on why the tunnel is operationally down. |
tmnxSecNotifCmptedCertChnChngd
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2009 |
Event name | tmnxSecNotifCmptedCertChnChngd |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.9 |
Default severity | minor |
Message format string | Certificate chain changed to $tIPsecNotifCaProfNames$ in cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$ |
Cause |
The tmnxSecNotifCmptedCertChnChngd notification is generated when a computed certificate chain is changed due to a dependent CA profile being changed and brought into service. |
Effect | The hash of the recomputed certificate chain, if changed, will be used for choosing cert-profile entry during new IPsec tunnel establishment. |
Recovery | If the changed CA certificate is used as a trust-anchor at the peer, then the certificate should be updated at the peer as well to ensure correct cert-profile entry selection. |
tmnxSecNotifCmptedCertHashChngd
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2008 |
Event name | tmnxSecNotifCmptedCertHashChngd |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.8 |
Default severity | minor |
Message format string | Hash of certificate chain changed in cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$ due to CA profile $tIPsecNotifCaProfNames$ |
Cause |
The tmnxSecNotifCmptedCertHashChngd notification is generated when the hash of a certificate chain is changed. |
Effect | The hash of the recomputed certificate chain will be used for choosing cert-profile entry during new IPsec tunnel establishment. |
Recovery | If the changed CA certificate is used as a trust-anchor at the peer, then the certificate should be updated at the peer as well to ensure correct cert-profile entry selection. |
tmnxSecNotifSendChnNotInCmptChn
Property name | Value |
---|---|
Application name | IPSEC |
Event ID | 2010 |
Event name | tmnxSecNotifSendChnNotInCmptChn |
SNMP notification prefix and OID | TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.10 |
Default severity | minor |
Message format string | Send-chain CA profile $tIPsecNotifCaProfNames$ not in the computed certificate chain of cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$ |
Cause | The tmnxSecNotifSendChnNotInCmptChn notification is generated when a CA profile not belonging to the computed certificate chain is added to the send-chain of a cert-profile entry, or the certificate chain is changed such that a CA-profile in the send-chain is no longer a member of the chain. |
Effect | The CA certificate(s) to be sent to the peer is not a member of the certificate chain that is requested by the peer for new IPsec tunnel establishment. |
Recovery | Replace the send-chain CA profile that is not in the certificate chain with one that is. |