Explanation
A protocol error occurred during IKE message processing.
The rsn field provides more information about
the received message.
Additional diagnostic messages that have
the same message instance number will be issued to identify the impacted
Security Association (SA). The message instance number precedes the
message number in the log output and is used to group related messages
from the IKE daemon.
phase is 1 or 2 indicating
the phase of negotiation when the error occurred.
rsn is
the reason code that provides additional information about the received
message. Possible values are:
- 1
- The first payload in the quick mode (phase 2) message was not
a hash payload.
- 2
- The second payload in message 1 or 2 of a quick mode (phase 2)
exchange was not a Security Association payload.
- 3
- A quick mode (phase 2) message was not encrypted.
- 4
- The received message contained unexpected payloads or was missing
payloads that are required by RFC 2409 (The Internet Key Exchange).
- 5
- The received message did not contain the required number of NAT-OA
payloads.
- 6
- The received message contained too many NAT-OA payloads.
- 7
- The received message utilized an unexpected port.
- 9
- The message length indicated in the ISAKMP header of the message
is too large.
- 10
- The received message is missing a required key exchange, NONCE
payload, or both.
- 11
- The received message is missing a required ID payload.
- 12
- The received message is missing a required hash or signature payload.
- 13
- The received message contains Diffie-Hellman information that
is too long.
- 17
- The received message did not contain an expected certificate payload.
- 101
- The received message is too short to be a valid ISAKMP message.
- 102
- The received message is too large to buffer.
- 103
- The received message contains a next payload field that is unrecognized.
- 104
- The received message does not contain a valid ISAKMP major and
minor version.
- 105
- The received message's exchange type is not supported.
- 106
- The received message contains no payloads.
- 107
- The received message contains a payload that is shorter than the
reported size.
- 108
- The received message contains a payload that is longer than the
reported size.
- 109
- The received message contains a payload with no data.
- 110
- The received message contains a payload that is not the correct
payload size.
- 111
- The received message contains an incorrect SPI size.
- 112
- The received message contains non-zero data in a field that must
be set to 0.
- 113
- The received message contains an unsupported Domain Of Interpretation
(doi) value.
- 114
- The received message contains an unsupported situation value.
- 115
- The received message contains an unsupported protocol value.
- 116
- The received message contains an unsupported ID type value.
- 117
- The received message contains an unsupported certificate type
value.
- 118
- The received phase 1 message 1 contains encrypted data.
- 120
- The received message contains an SA payload without a required
hash payload.
- 121
- The received message contains non-SA payloads before the first
SA payload.
- 122
- The received message does not contain a proposal payload in the
required order.
- 123
- The received message does not contain a transform payload in the
required order.
- 124
- The received message contains an incorrect size for the ID type
received.
System action
The SA negotiation fails; IKE daemon processing
continues.
Operator response
Contact the system programmer.
System programmer response
Notify the administrator of the remote
security endpoint that a protocol error has occurred.
Module