Novell Home

Troubleshooting VPN Errors

Novell Cool Solutions: Tip
By Amandeep Singh Sandhu

Digg This - Slashdot This

Posted: 28 Oct 2004
 

This article discusses over 45 of the most common VPN error messages seen by Novell BorderManager 3.8 users. These messages can be viewed in CSAUDIT or the NetWare Remote Manager module of the Novell BorderManager VPN server. In this article, the error messages are listed with possible causes, and workarounds. If you find a VPN error message not included here, please contact: ssamandeep@novell.com

Other contributors to this article:

Umasankar Mukkara
Software Consultant
mumasankar@novell.com

Krishnan Srinivasan
Software Consultant
krsrinivasan@novell.com

Sridhara Jagannath
Software Consultant
sjagannath@novell.com

The modules with error messages listed are: IPSEC.MLC, VPNINF.MLC, VPTUNNEL.MLC, IKE.MLC, and AUTHGW.MLC.

2.1 IPSEC.MLC

Error 1: Inbound SA was not found, or Inbound SA was not found for the packet sent by ...

Possible Cause: SAs could be out of sync. For client-to-site connections, this can happen when a server is rebooted but is still getting encrypted packets from an older session.

*Workaround: Disconnect the client from the Monitoring page. If it is a site-to-site scenario, click Synchronize for the corresponding server in the Monitoring page.

Error 2: Packet discarded during policy checking.

Possible Cause: With third-party clients connected to the NBM server or in a third-party site-to-site setup, there may be a mismatch in configured traffic rules. The traffic rules need to match one-to-one at both the negotiating peers.

*Workaround: Check the configured traffic rules and change them if they are not connected properly.

Error 3: Decryption failed, or
Decryption failed for the packet sent by ...

Possible Cause: In site-to-site setup SKIP mode, the security keys are out of sync.

*Workaround: Click Synchronize in NWAdmn for the relevant server.

Error 4: Failed initializing the key generator, or
Failed in initializing random generator.

Possible Cause: Bad NICI stack.

*Workaround: Check whether the current NICI version matches the required version. If it does not, install the correct NICI.

Error 5: Unknown security preference for encryption.

Possible Cause: This can happen in NBM 3.7 SKIP mode configuration because of a mismatch in the security preferences.

*Workaround: Change the security preferences in the NWAdmn VPN screen as per the log messages.

Error 6: Replayed ESP packet has been detected.

Possible Cause: This is a replay attack on the server and not an error.

Error 7: ICV is not matched.

Possible Cause: IPsec network attack or a problem with the way packets are encrypted.

*Workaround: Follow standard ESP protocol, or the packets might be deliberately dropped in case of flooding.

2.2 VPNINF.MLC

Error 8: An unexpected TCP/IP packet timeout has occurred, or
TCP/IP send failed, or
Packet has not reached the peer.

Possible Cause: Congestion in the network is delaying the packets. Or, the peer could have abnormally terminated the connection while still transferring the packet.

*Workaround: Verify that the peer VPN server is up. If it is not, restart the server.

Error 9: Invalid message packet type received, or
An error occurred while reading file, or
Unable to read a file.

Possible Cause: Another thread is using the file or the file does not exist.

*Workaround: Verify that the following files exist and are not corrupt:

SYS:ETC\\NLSP.CFG
SYS :ETC\\IPWAN.CFG
SYS:ETC\\TCPIP.CFG
SYS:ETC\\GATEWAYS
SYS:ETC\\NLSPSTAT.CFG

Repair or restore the files and then reboot.

Error 10: Reinitialize system failed to start processing commands.

Possible Cause: A previous Reinitialize System is not yet complete, or some configuration in the previous Reinit has failed or is taking time. Wait or re-initialize.

Error 11: Failed configuring VPN member.

Possible Cause: This could happen in the Master server during a configuration transfer in a Site-to-Site setup. The reasons could be:

  • The packet never reached its destination due to network congestion.
  • The peer has gone down.
  • A packet response from the slave is corrupted.

*Workaround: Wait for the next re-configuration, or synchronize from the iManager configuration page.

Error 12: Failed VPN member notifications. Will retry in ... minutes.

Possible Cause: Communication to one of the slaves in the site-to-site members' list failed while trying to transfer the configuration. The master will retry in N seconds. The reasons could be:

  • The packet never reached its destination due to network congestion.
  • The peer has gone down
  • A packet response from the slave is corrupted.

Wait for the next re-configuration, or synchronize from the iManager configuration page.

Error 13: Accept Failed.

Possible Cause: The slave failed to accept an incoming TCP connect request.

*Workaround: Verify that the slave is up and that its filter configuration allows Port 213. Restart the slave if needed.

Error 14: Error adding VPN member to CSL database.

Possible Cause: The CSL_ApplInsertTarget failed to add a target into the CSL database, or CSL rejected an incoming call.

Error 15: Failure adding IP WAN target.

Possible Cause: The file write operation is not working properly, so the file is unable to write to ipwan.cfg file. Or, the file does not exist while some other thread is trying to hold it.

*Workaround: Delete the member and try to re-add it.

Note: The possible causes in errors 16-23 is that an authenticated user is not allowed to use the admin- configured Authentication or Traffic Rule. The details are available with each error. The general workaround for each of these errors is that the admin should give proper access to the desired user.

Error 16: Find Issuer Name in Trusted Root List Failed.

Possible Cause: The Issuer Name in the certificate of the user is not present in the configured trusted root container.

Error 17: No Match in Trusted Master List.

Possible Cause: The peer certificate does not have a match in the configured Trusted Master List (Client-to-Site), or the Issuer Name does not match the configured Trusted Master Certificate Name.

Error 18: No Match in Member List.

Possible Cause: The Peer Subject name does not have a match in the Configured Member List.

Error 19: No Match on NDS Name.

Possible Cause: The Authentication Rule does not allow the User Name.

*Workaround: Check the authentication rule.

Error 20: No Match on CA Name.

Possible Cause: The Certificate Authority of the client certificate is not part of the configured Authentication rules.

*Workaround: Check the Authentication Rule for the Trusted CA.

Error 21: No Match in Client Authority List.

Possible Cause: See causes for error messages 16-18.

Error 22: Search on Auth Rule List Failed.

Possible Cause: See causes for error messages 16-20.

Error 23: Search on Traffic Rule List Failed.

Possible Cause: No configured Traffic Rule found for the user. That means the UserName (NMAS) does not match with the configured username, group or container, or that the certificate subject name (AltName) does not match the configured subject name.

2.3 VPTUNNEL.MLC

Error 24: Unable to register VPN MIB with SNMP.

Possible Cause: VPTunnel failed to register to the SNMP component.

*Workaround: Try 'stopvpn' and 'startvpn.' Also, check the SNMP component.

Error 25: Could not register with VPNINF.

Possible Cause: VPINF is not loaded when VPTunnel loads.

*Workaround: Try 'stopvpn' and 'startvpn.'

Error 26: The CSL_CCAIncoming call failed.

Possible Cause: The CSL target is not in the CSL database (csl.dat).

*Workaround: See http://www.novell.com/documentation/nias41/index.html?page=/documentation/nias41/msgs_enu/data/a2qf011.html

Error 27: Remote IP address is incorrectly reachable through the VPTUNNEL.

Possible Cause: A routing loop has occured - the same packet has reached the VPTunnel more than once. Either the RIP- propagated Route information has caused this problem, or the route configuration is wrong.

*Workaround: Flush the routing table in tcpcon.

2.4 IKE.MLC

Error 28: No IKE proposal chosen.

Possible Cause: Policy mismatch in the main mode - there is a mismatch in an encryption algorithm or hash algorithm or authentication method.

*Workaround: Match the IKE proposals.

Error 29: No proposal chosen for quick mode.

Possible Cause: Policy mismatch in the main mode - there is a mismatch in an encryption algorithm or hash algorithm or authentication method.

*Workaround: Match the IPsec proposals.

Error 30: Peer requests PFS but the PFS is not configured.

Possible Cause: Peer server is configured with PFS but BorderManager is not configured for PFS.

*Workaround: Match the PFS in both the servers. PFS is located at the iManager VPN server configuration.

Error 31: Peer certificate date is invalid.

Possible Cause: The expiration date is less than the present date or less than the IKE key lifetime (i.e., 8 hrs).

Error 32: Certificate authentication failure.

Possible Cause: The certificate has an invalid signature.

Error 33: The main mode's ID does not match with certificate subjects.

Possible Cause: This happens only with third-party servers or clients.

*Workaround: Configure the third party server/client to send the certificate subject name in the ID payload.

Error 34: C2S Service is not enabled or Peer Server certificate SubjectName doesn't match, in S2S Connection.

Possible Cause: If the peer is a client, client-to-site is not enabled. If the peer is a server, the Subject Name does not match with the name configured in the local server where this error appears.

*Workaround: In the slave server configuration on iManager, make the master's trusted root certificate subject name match the actual name.

Error 35: ACL Check Failed.

Possible Cause: The authentication rule configured is Deny, or the authentication rule is not configured for this user.

Error 36: The certificate has expired.

Possible Cause: self-explanatory.

Error 37: The certificate's start date is in the future.

Possible Cause: Each certificate has a validity period with a start date and end date. In this case, the start date in the certificate is greater than the present date.

Error 38: The server certificate is not available.

Possible Cause: The server certificate will be loaded to sys:/etc/ike/rootcert directory from iManager. This error is displayed if there is an error in loading certificates from iManager to the local directory.

*Workaround: Delete the server certificate anf configure a new one.

Error 39. Pre-shared key not available for the third-party server.

Possible Cause: The pre-shared key is not configured for this peer server in the third-party server configuration page.

Error 40: Pre-shared key not configured for Client-to-Site.

Possible Cause: Pre-shared key is not configured for this peer server.

Error 41: Peers CA Root Certificate not found for this usage certificate.

Possible Cause: It could be any of these:

  • a. The root certificate is configured or loaded in server.
  • b. The root certificate is not in the Windows client directory.
  • c. The peer (server or client) is sending an improper user certificate.

2.5 AUTHGW.MLC

Error 42: Memory allocation failed for send and receive buffers.

Possible Cause: Some process is consuming too much memory on the server.

*Workaround: Restart the server.

Error 43: Failed to process NMAS request.

Possible Cause: The NMAS API has returned an error. Check the details for this error code on the NMAS developer page.

Error 44: Failed to process NMAS request. Authentication failure.

Possible Cause: Username or password is incorrect.

Error 45: Failed to process NMAS request. Failed to authenticate NMAS connection.

Possible Cause: The NMAS API has returned error, check details for this error code in NMAS developer page.

Error 46: Failed to process NMAS end request. ACL check failure.

Possible Cause: Authentication rule configured is Deny, or no rule is configured for this NMAS user.

Error 47: Failed to process NMAS end request. Insufficient access rights.

Possible Cause: Grade configured in Client-to-Site authentication rule is invalid.

*Workaround: Select the correct grade to log in.

Conclusion

The error list in this article is not exhaustive - it points to the most frequently occurring messages. Please feel free to suggest changes and enhancements to this list.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell