IPSEC

tIPsecBfdIntfSessStateChgd

Table 1. tIPsecBfdIntfSessStateChgd properties

Property name

Value

Application name

IPSEC

Event ID

2003

Event name

tIPsecBfdIntfSessStateChgd

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.3

Default severity

minor

Source stream

main

Message format string

BFD session on service $tIPsecNotifBfdIntfSvcId$ interface $tIPsecNotifBfdIntfIfName$ to peer $tIPsecNotifBfdIntfDestIp$ changed state to $tIPsecNotifBfdIntfSessState$.

Cause

The operational state of a BFD session of the IPsec instance changed.

Effect

None.

Recovery

No recovery is necessary.

tIPsecRadAcctPlcyFailure

Table 2. tIPsecRadAcctPlcyFailure properties

Property name

Value

Application name

IPSEC

Event ID

2004

Event name

tIPsecRadAcctPlcyFailure

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.4

Default severity

minor

Source stream

main

Message format string

Failed to send RADIUS accounting request for policy $tIPsecRadAcctPlcyName$ due to: $tIPsecRadAcctPlcyFailReason$

Cause

The tIPsecRadAcctPlcyFail notification is generated when a RADIUS accounting request was not sent out successfully to any of the RADIUS servers in the indicated accounting policy.

Effect

The RADIUS server may not receive the accounting information.

Recovery

Depending on the reason indicated as per 'tIPsecRadAcctPlcyFailReason', 'tIPsecRadAcctPlcyTable' configuration may need to be changed.

tIPsecRUSAFailToAddRoute

Table 3. tIPsecRUSAFailToAddRoute properties

Property name

Value

Application name

IPSEC

Event ID

2002

Event name

tIPsecRUSAFailToAddRoute

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.2

Default severity

warning

Source stream

main

Message format string

IPsec Remote-User tunnel $tIPsecRUTnlInetAddress$:$tIPsecRUTnlPort$ failed to add route to $tIPsecRUSARemAddr$/$tIPsecRUSARemAPrefLen$ because $tIPsecNotifReason$.

Cause

The event is generated when creation of a remote-user tunnel fails.

Effect

None.

Recovery

No recovery is necessary.

tIPsecRuTnlEncapIpMtuTooSmall

Table 4. tIPsecRuTnlEncapIpMtuTooSmall properties

Property name

Value

Application name

IPSEC

Event ID

2007

Event name

tIPsecRuTnlEncapIpMtuTooSmall

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.7

Default severity

warning

Source stream

main

Message format string

Addition of tunnel encapsulation at IPsec remote user tunnel on SAP: $sapEncapValue$, service:$svcId$ for IP address $tIPsecNotifRUTnlInetAddress$:$tIPsecNotifRUTnlPort$ with configured MTU of $tIPsecNotifConfigIpMtu$, having encapsulated MTU of $tIPsecNotifConfigEncapIpMtu$ has an overhead of $tIPsecNotifEncapOverhead$.

Cause

The tIPsecRuTnlEncapIpMtuTooSmall notification is generated when the addition of tunnel encapsulation to a packet at or near the IPsec remote user tunnel's configured IP MTU may cause it to exceed the tunnel's configured encapsulated IP MTU.

Effect

The pre-encapsulated packet may be fragmented, and will require reassembly by the tunnel remote endpoint, causing a performance impact.

Recovery

Configured IP MTU and/or encapsulated IP MTU may need to be changed depending on the size of the encapsulation overhead as indicated in 'tIPsecNotifEncapOverhead', and the transmission capabilities of the tunnel's transport network.

tIPsecRUTnlFailToCreate

Table 5. tIPsecRUTnlFailToCreate properties

Property name

Value

Application name

IPSEC

Event ID

2001

Event name

tIPsecRUTnlFailToCreate

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.1

Default severity

warning

Source stream

main

Message format string

Creation of an IPsec Remote-User tunnel $tIPsecNotifRUTnlInetAddress$: $tIPsecNotifRUTnlPort$ on SAP:$sapEncapValue$, service:$svcId$ failed because $tIPsecNotifReason$.

Cause

The event is generated when creation of a remote-user tunnel fails.

Effect

None.

Recovery

No recovery is necessary.

tIPsecRUTnlRemoved

Table 6. tIPsecRUTnlRemoved properties

Property name

Value

Application name

IPSEC

Event ID

2013

Event name

tIPsecRUTnlRemoved

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.13

Default severity

minor

Source stream

main

Message format string

IPsec Remote-User tunnel $tIPsecNotifRUTnlInetAddress$:$tIPsecNotifRUTnlPort$ on SAP: $sapEncapValue$, service:$svcId$ was removed because $tIPsecNotifReason$.

Cause

A tIPsecRUTnlRemoved notification is generated when a remote-user tunnel is removed under certain reasons, which are indicated by tIPsecNotifReason (e.g., failed to renew private address lease with DHCP server).

Effect

The IPsec tunnel becomes operationally out of service.

Recovery

N/A

tIPSecTrustAnchorPrfOprChg

Table 7. tIPSecTrustAnchorPrfOprChg properties

Property name

Value

Application name

IPSEC

Event ID

2005

Event name

tIPSecTrustAnchorPrfOprChg

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.5

Default severity

minor

Source stream

main

Message format string

$tIPsecTrustAnchorCAProfDown$ of the configured trust-anchors in profile $tIPsecTrustAnchorProfName$ are not operational

Cause

The tIPSecTrustAnchorPrfOprChg notification is generated when not all of the trust-anchors in a profile are operational.

Effect

Authentication of tunnels configured with the trust-anchor-profile will fail if the trusted CA (Certificate Authority) in the certificate chain is not operational.

Recovery

Bring the trusted CA-profile operational up.

tIPsecTunnelEncapIpMtuTooSmall

Table 8. tIPsecTunnelEncapIpMtuTooSmall properties

Property name

Value

Application name

IPSEC

Event ID

2006

Event name

tIPsecTunnelEncapIpMtuTooSmall

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.6

Default severity

warning

Source stream

main

Message format string

Addition of tunnel encapsulation at IPsec static tunnel $tIPsecNotifIPsecTunnelName$ on SAP: $sapEncapValue$, service:$svcId$ with configured MTU of $tIPsecNotifConfigIpMtu$, having encapsulated MTU of $tIPsecNotifConfigEncapIpMtu$ has an overhead of $tIPsecNotifEncapOverhead$

Cause

The tIPsecTunnelEncapIpMtuTooSmall notification is generated when the addition of tunnel encapsulation to a packet at or near the IPsec static tunnel's configured IP MTU may cause it to exceed the tunnel's configured encapsulated IP MTU.

Effect

The pre-encapsulated packet may be fragmented, and will require reassembly by the tunnel remote endpoint, causing a performance impact.

Recovery

Configured IP MTU and/or encapsulated IP MTU may need to be changed depending on the size of the encapsulation overhead as indicated in 'tIPsecNotifEncapOverhead', and the transmission capabilities of the tunnel's transport network.

tIPsecTunnelProtocolFailed

Table 9. tIPsecTunnelProtocolFailed properties

Property name

Value

Application name

IPSEC

Event ID

2014

Event name

tIPsecTunnelProtocolFailed

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.14

Default severity

minor

Source stream

main

Message format string

IPsec tunnel $tIPsecNotifTunnelIdentifier$ of type $tIPsecNotifTunnelType$ had an abnormal protocol event due to $tIPsecNotifReason$.

Cause

A tIPsecTunnelProtocolFailed notification is generated when a whenever there is abnormal event from protocol perspective to the tunnel, which are indicated by tIPsecNotifReason (e.g., tunnel encounters a dpd-timeout, or no-proposal-chosen during rekey, etc).

Effect

These abnormal events don't always necessarily cause the tunnel to change its operational-status or to be removed.

Recovery

Please refer to operational-flags of the tunnel for more information.

tmnxIPsecGWOperStateChange

Table 10. tmnxIPsecGWOperStateChange properties

Property name

Value

Application name

IPSEC

Event ID

2012

Event name

tmnxIPsecGWOperStateChange

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.12

Default severity

minor

Source stream

main

Message format string

Operational state change for IPsec Gateway $tmnxIPsecGWName$ on service $svcId$ and SAP $sapEncapValue$, admin state: $tmnxIPsecGWAdminState$, oper state: $tmnxIPsecGWOperState$, oper flags: $tmnxIPsecGWOperFlags$

Cause

The tmnxIPsecGWOperStateChange notification is generated when there is a state change in tmnxIPsecGWOperState for an IPsec gateway.

Effect

When the value of tmnxIPsecGWOperState is 'outOfService (3)', the IPsec gateway is operationally down and it is not ready to negotiate IKE sessions with remote clients. When the value of tmnxIPsecGWOperState is 'inService (2)', the IPsec gateway is operationally up. When the value of tmnxIPsecGWOperState is 'limited (5)', the IPsec gateway is not fully operationally up due to the conditions indicated in tmnxIPsecTunnelOperFlags and can only negotiate limited new IKE sessions.

Recovery

Please refer to tmnxIPsecGWOperFlags for information on why the gateway is operationally down.

tmnxIPsecTunnelOperStateChange

Table 11. tmnxIPsecTunnelOperStateChange properties

Property name

Value

Application name

IPSEC

Event ID

2011

Event name

tmnxIPsecTunnelOperStateChange

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.11

Default severity

minor

Source stream

main

Message format string

Operational state change for IPsec Tunnel $tmnxIPsecTunnelName$ on service $svcId$ and SAP $sapEncapValue$, admin state: $tmnxIPsecTunnelAdminState$, oper state: $tmnxIPsecTunnelOperState$, oper flags: $tmnxIPsecTunnelOperFlags$

Cause

The tmnxIPsecTunnelOperStateChange notification is generated when there is a change in tmnxIPsecTunnelOperState for an IPsec tunnel.

Effect

When the value of tmnxIPsecTunnelOperState is 'outOfService (3)', the IPsec tunnel is operationally down and traffic arriving at the tunnel endpoints will not be encapsulated and transported. When the value of tmnxIPsecTunnelOperState is 'inService (2)', the IPsec tunnel is operationally up. When the value of tmnxIPsecGWOperState is 'limited (5)', the IPsec tunnel is operationally up but may not be ready to re-establish the connection until the conditions indicated in the tmnxIPsecTunnelOperFlags are cleared.

Recovery

Please refer to tmnxIPsecTunnelOperFlags for information on why the tunnel is operationally down.

tmnxSecNotifCmptedCertChnChngd

Table 12. tmnxSecNotifCmptedCertChnChngd properties

Property name

Value

Application name

IPSEC

Event ID

2009

Event name

tmnxSecNotifCmptedCertChnChngd

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.9

Default severity

minor

Source stream

security

Message format string

Certificate chain changed to $tIPsecNotifCaProfNames$ in cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$

Cause

The tmnxSecNotifCmptedCertChnChngd notification is generated when a computed certificate chain is changed due to a dependent CA profile being changed and brought into service.

Effect

The hash of the recomputed certificate chain, if changed, will be used for choosing cert-profile entry during new IPsec tunnel establishment.

Recovery

If the changed CA certificate is used as a trust-anchor at the peer, then the certificate should be updated at the peer as well to ensure correct cert-profile entry selection.

tmnxSecNotifCmptedCertHashChngd

Table 13. tmnxSecNotifCmptedCertHashChngd properties

Property name

Value

Application name

IPSEC

Event ID

2008

Event name

tmnxSecNotifCmptedCertHashChngd

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.8

Default severity

minor

Source stream

security

Message format string

Hash of certificate chain changed in cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$ due to CA profile $tIPsecNotifCaProfNames$

Cause

The tmnxSecNotifCmptedCertHashChngd notification is generated when the hash of a certificate chain is changed.

Effect

The hash of the recomputed certificate chain will be used for choosing cert-profile entry during new IPsec tunnel establishment.

Recovery

If the changed CA certificate is used as a trust-anchor at the peer, then the certificate should be updated at the peer as well to ensure correct cert-profile entry selection.

tmnxSecNotifSendChnNotInCmptChn

Table 14. tmnxSecNotifSendChnNotInCmptChn properties

Property name

Value

Application name

IPSEC

Event ID

2010

Event name

tmnxSecNotifSendChnNotInCmptChn

SNMP notification prefix and OID

TIMETRA-IPSEC-MIB.tmnxIPsecNotifications.10

Default severity

minor

Source stream

security

Message format string

Send-chain CA profile $tIPsecNotifCaProfNames$ not in the computed certificate chain of cert-profile $tIPsecNotifCertProfileName$ entry $tIPsecNotifCertProfEntryId$

Cause

The tmnxSecNotifSendChnNotInCmptChn notification is generated when a CA profile not belonging to the computed certificate chain is added to the send-chain of a cert-profile entry, or the certificate chain is changed such that a CA-profile in the send-chain is no longer a member of the chain.

Effect

The CA certificate(s) to be sent to the peer is not a member of the certificate chain that is requested by the peer for new IPsec tunnel establishment.

Recovery

Replace the send-chain CA profile that is not in the certificate chain with one that is.