Home
Monitor and troubleshoot
Documents under this category provide information about monitoring, diagnosing, and troubleshooting router issues.
Log Events Guide
This guide provides information about log events.
IPSEC

Monitor and troubleshoot
Documents under this category provide information about monitoring, diagnosing, and troubleshooting router issues.
- Log Events Guide
  This guide provides information about log events.
- OAM and Diagnostics Guide
  This guide describes how to configure features such as service mirroring and Lawful Intercept (LI), and how to use the Operations, Administration, and Maintenance (OAM) and diagnostics tools.
- 7450 and 7750 Troubleshooting Guide
- 7950 Troubleshooting Guide
- Log Events Lookup Tool
  A searchable HTML list of the SR OS events.

IPSEC

tIPsecBfdIntfSessStateChgd

Table 1. tIPsecBfdIntfSessStateChgd properties
Property name	Value
Application name	IPSEC
Event ID	2003
Event name	tIPsecBfdIntfSessStateChgd
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.3
Default severity	minor
Message format string	BFD session on service $tIPsecNotifBfdIntfSvcId$ interface $tIPsecNotifBfdIntfIfName$ to peer $tIPsecNotifBfdIntfDestIp$ changed state to $tIPsecNotifBfdIntfSessState$.
Cause	The operational state of a BFD session of the IPsec instance changed.
Effect	None.
Recovery	No recovery is necessary.

tIPsecRadAcctPlcyFailure

Table 2. tIPsecRadAcctPlcyFailure properties
Property name	Value
Application name	IPSEC
Event ID	2004
Event name	tIPsecRadAcctPlcyFailure
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.4
Default severity	minor
Message format string	Failed to send RADIUS accounting request for policy $tIPsecRadAcctPlcyName$ due to: $tIPsecRadAcctPlcyFailReason$
Cause	The tIPsecRadAcctPlcyFail notification is generated when a RADIUS accounting request was not sent out successfully to any of the RADIUS servers in the indicated accounting policy.
Effect	The RADIUS server may not receive the accounting information.
Recovery	Depending on the reason indicated as per 'tIPsecRadAcctPlcyFailReason', 'tIPsecRadAcctPlcyTable' configuration may need to be changed.

tIPsecRUSAFailToAddRoute

Table 3. tIPsecRUSAFailToAddRoute properties
Property name	Value
Application name	IPSEC
Event ID	2002
Event name	tIPsecRUSAFailToAddRoute
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.2
Default severity	warning
Message format string	IPsec Remote-User tunnel $tIPsecRUTnlInetAddress$:$tIPsecRUTnlPort$ failed to add route to $tIPsecRUSARemAddr$/$tIPsecRUSARemAPrefLen$ because $tIPsecNotifReason$.
Cause	The event is generated when creation of a remote-user tunnel fails.
Effect	None.
Recovery	No recovery is necessary.

tIPsecRuTnlEncapIpMtuTooSmall

Table 4. tIPsecRuTnlEncapIpMtuTooSmall properties
Property name	Value
Application name	IPSEC
Event ID	2007
Event name	tIPsecRuTnlEncapIpMtuTooSmall
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.7
Default severity	warning
Message format string	Addition of tunnel encapsulation at IPsec remote user tunnel on SAP: $sapEncapValue$, service:$svcId$ for IP address $tIPsecNotifRUTnlInetAddress$: $tIPsecNotifRUTnlPort$ with configured MTU of $tIPsecNotifConfigIpMtu$, having encapsulated MTU of $tIPsecNotifConfigEncapIpMtu$ has an overhead of $tIPsecNotifEncapOverhead$.
Cause	The tIPsecRuTnlEncapIpMtuTooSmall notification is generated when the addition of tunnel encapsulation to a packet at or near the IPsec remote user tunnel's configured IP MTU may cause it to exceed the tunnel's configured encapsulated IP MTU.
Effect	The pre-encapsulated packet may be fragmented, and will require reassembly by the tunnel remote endpoint, causing a performance impact.
Recovery	Configured IP MTU and/or encapsulated IP MTU may need to be changed depending on the size of the encapsulation overhead as indicated in 'tIPsecNotifEncapOverhead', and the transmission capabilities of the tunnel's transport network.

tIPsecRUTnlFailToCreate

Table 5. tIPsecRUTnlFailToCreate properties
Property name	Value
Application name	IPSEC
Event ID	2001
Event name	tIPsecRUTnlFailToCreate
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.1
Default severity	warning
Message format string	Creation of an IPsec Remote-User tunnel $tIPsecNotifRUTnlInetAddress$:$tIPsecNotifRUTnlPort$ on SAP: $sapEncapValue$, service:$svcId$ failed because $tIPsecNotifReason$.
Cause	The event is generated when creation of a remote-user tunnel fails.
Effect	None.
Recovery	No recovery is necessary.

tIPsecRUTnlRemoved

Table 6. tIPsecRUTnlRemoved properties
Property name	Value
Application name	IPSEC
Event ID	2013
Event name	tIPsecRUTnlRemoved
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.13
Default severity	minor
Message format string	IPsec Remote-User tunnel $tIPsecNotifRUTnlInetAddress$:$tIPsecNotifRUTnlPort$ on SAP: $sapEncapValue$, service:$svcId$ was removed because $tIPsecNotifReason$.
Cause	A tIPsecRUTnlRemoved notification is generated when a remote-user tunnel is removed under certain reasons, which are indicated by tIPsecNotifReason (e.g., failed to renew private address lease with DHCP server).
Effect	The IPsec tunnel becomes operationally out of service.
Recovery	N/A

tIPSecTrustAnchorPrfOprChg

Table 7. tIPSecTrustAnchorPrfOprChg properties
Property name	Value
Application name	IPSEC
Event ID	2005
Event name	tIPSecTrustAnchorPrfOprChg
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.5
Default severity	minor
Message format string	$tIPsecTrustAnchorCAProfDown$ of the configured trust-anchors in profile $tIPsecTrustAnchorProfName$ are not operational
Cause	The tIPSecTrustAnchorPrfOprChg notification is generated when not all of the trust-anchors in a profile are operational.
Effect	Authentication of tunnels configured with the trust-anchor-profile will fail if the trusted CA (Certificate Authority) in the certificate chain is not operational.
Recovery	Bring the trusted CA-profile operational up.

tIPsecTunnelEncapIpMtuTooSmall

Table 8. tIPsecTunnelEncapIpMtuTooSmall properties
Property name	Value
Application name	IPSEC
Event ID	2006
Event name	tIPsecTunnelEncapIpMtuTooSmall
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.6
Default severity	warning
Message format string	Addition of tunnel encapsulation at IPsec static tunnel $tIPsecNotifIPsecTunnelName$ on SAP:$sapEncapValue$, service: $svcId$ with configured MTU of $tIPsecNotifConfigIpMtu$, having encapsulated MTU of $tIPsecNotifConfigEncapIpMtu$ has an overhead of $tIPsecNotifEncapOverhead$
Cause	The tIPsecTunnelEncapIpMtuTooSmall notification is generated when the addition of tunnel encapsulation to a packet at or near the IPsec static tunnel's configured IP MTU may cause it to exceed the tunnel's configured encapsulated IP MTU.
Effect	The pre-encapsulated packet may be fragmented, and will require reassembly by the tunnel remote endpoint, causing a performance impact.
Recovery	Configured IP MTU and/or encapsulated IP MTU may need to be changed depending on the size of the encapsulation overhead as indicated in 'tIPsecNotifEncapOverhead', and the transmission capabilities of the tunnel's transport network.

tIPsecTunnelProtocolFailed

Table 9. tIPsecTunnelProtocolFailed properties
Property name	Value
Application name	IPSEC
Event ID	2014
Event name	tIPsecTunnelProtocolFailed
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.14
Default severity	minor
Message format string	IPsec tunnel $tIPsecNotifTunnelIdentifier$ of type $tIPsecNotifTunnelType$ had an abnormal protocol event due to $tIPsecNotifReason$.
Cause	A tIPsecTunnelProtocolFailed notification is generated when a whenever there is abnormal event from protocol perspective to the tunnel, which are indicated by tIPsecNotifReason (e.g., tunnel encounters a dpd-timeout, or no-proposal-chosen during rekey, etc).
Effect	These abnormal events don't always necessarily cause the tunnel to change its operational-status or to be removed.
Recovery	Please refer to operational-flags of the tunnel for more information.

tmnxIPsecGWOperStateChange

Table 10. tmnxIPsecGWOperStateChange properties
Property name	Value
Application name	IPSEC
Event ID	2012
Event name	tmnxIPsecGWOperStateChange
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.12
Default severity	minor
Message format string	Operational state change for IPsec Gateway $tmnxIPsecGWName$ on service $svcId$ and SAP $sapEncapValue$, admin state: $tmnxIPsecGWAdminState$, oper state: $tmnxIPsecGWOperState$, oper flags: $tmnxIPsecGWOperFlags$
Cause	The tmnxIPsecGWOperStateChange notification is generated when there is a state change in tmnxIPsecGWOperState for an IPsec gateway.
Effect	When the value of tmnxIPsecGWOperState is 'outOfService (3)', the IPsec gateway is operationally down and it is not ready to negotiate IKE sessions with remote clients. When the value of tmnxIPsecGWOperState is 'inService (2)', the IPsec gateway is operationally up. When the value of tmnxIPsecGWOperState is 'limited (5)', the IPsec gateway is not fully operationally up due to the conditions indicated in tmnxIPsecTunnelOperFlags and can only negotiate limited new IKE sessions.
Recovery	Please refer to tmnxIPsecGWOperFlags for information on why the gateway is operationally down.

tmnxIPsecTunnelOperStateChange

Table 11. tmnxIPsecTunnelOperStateChange properties
Property name	Value
Application name	IPSEC
Event ID	2011
Event name	tmnxIPsecTunnelOperStateChange
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.11
Default severity	minor
Message format string	Operational state change for IPsec Tunnel $tmnxIPsecTunnelName$ on service $svcId$ and SAP $sapEncapValue$, admin state: $tmnxIPsecTunnelAdminState$, oper state: $tmnxIPsecTunnelOperState$, oper flags: $tmnxIPsecTunnelOperFlags$
Cause	The tmnxIPsecTunnelOperStateChange notification is generated when there is a change in tmnxIPsecTunnelOperState for an IPsec tunnel.
Effect	When the value of tmnxIPsecTunnelOperState is 'outOfService (3)', the IPsec tunnel is operationally down and traffic arriving at the tunnel endpoints will not be encapsulated and transported. When the value of tmnxIPsecTunnelOperState is 'inService (2)', the IPsec tunnel is operationally up. When the value of tmnxIPsecGWOperState is 'limited (5)', the IPsec tunnel is operationally up but may not be ready to re-establish the connection until the conditions indicated in the tmnxIPsecTunnelOperFlags are cleared.
Recovery	Please refer to tmnxIPsecTunnelOperFlags for information on why the tunnel is operationally down.

tmnxSecNotifCmptedCertChnChngd

Table 12. tmnxSecNotifCmptedCertChnChngd properties
Property name	Value
Application name	IPSEC
Event ID	2009
Event name	tmnxSecNotifCmptedCertChnChngd
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.9
Default severity	minor
Message format string	Certificate chain changed to $tIPsecNotifCaProfNames$ in cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$
Cause	The tmnxSecNotifCmptedCertChnChngd notification is generated when a computed certificate chain is changed due to a dependent CA profile being changed and brought into service.
Effect	The hash of the recomputed certificate chain, if changed, will be used for choosing cert-profile entry during new IPsec tunnel establishment.
Recovery	If the changed CA certificate is used as a trust-anchor at the peer, then the certificate should be updated at the peer as well to ensure correct cert-profile entry selection.

tmnxSecNotifCmptedCertHashChngd

Table 13. tmnxSecNotifCmptedCertHashChngd properties
Property name	Value
Application name	IPSEC
Event ID	2008
Event name	tmnxSecNotifCmptedCertHashChngd
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.8
Default severity	minor
Message format string	Hash of certificate chain changed in cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$ due to CA profile $tIPsecNotifCaProfNames$
Cause	The tmnxSecNotifCmptedCertHashChngd notification is generated when the hash of a certificate chain is changed.
Effect	The hash of the recomputed certificate chain will be used for choosing cert-profile entry during new IPsec tunnel establishment.
Recovery	If the changed CA certificate is used as a trust-anchor at the peer, then the certificate should be updated at the peer as well to ensure correct cert-profile entry selection.

tmnxSecNotifSendChnNotInCmptChn

Table 14. tmnxSecNotifSendChnNotInCmptChn properties
Property name	Value
Application name	IPSEC
Event ID	2010
Event name	tmnxSecNotifSendChnNotInCmptChn
SNMP notification prefix and OID	TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.10
Default severity	minor
Message format string	Send-chain CA profile $tIPsecNotifCaProfNames$ not in the computed certificate chain of cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$
Cause	The tmnxSecNotifSendChnNotInCmptChn notification is generated when a CA profile not belonging to the computed certificate chain is added to the send-chain of a cert-profile entry, or the certificate chain is changed such that a CA-profile in the send-chain is no longer a member of the chain.
Effect	The CA certificate(s) to be sent to the peer is not a member of the certificate chain that is requested by the peer for new IPsec tunnel establishment.
Recovery	Replace the send-chain CA profile that is not in the certificate chain with one that is.