HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 465

Table 8-26. Debug Messages
Messages Associated with IKE
Phase 1 Problems
IKEDeleteIsakmpSA
IANA for protocol: Isakmp
Once you have determined which IKE phase is causing your problem, you
should move to "Comparing VPN Policies" on page 8-80. This section will help
you determine which specific policy is causing IKE to fail.
Peer ID is Invalid. Continuously repeating "IKEStartNegotiation" mes-
sages indicate that the router is unable to even reach the peer to begin IKE
negotiations. This problem can have several sources:
The peer ID in crypto map entry is incorrect.
The peer ID in IKE policy is incorrect.
The IKE policy does not allow you to initiate IKE with this peer.
See Table 8-27 for debug messages associated these problems.
Table 8-27. IKEStartNegotiation Debug Messages
Attribute
Can not Initiate on a
Respond only policy
Could not find an IKE
policy to use
Already in process of
negotiation
IKERetryTimeOut:
Retrying 1st phase
To check the peer ID in an IKE policy or crypto map entry, enter commands
such as the following:
Syntax: show crypto map [<mapname> <mapindex>]
Syntax: show crypto ike policy
You can also view all crypto maps by entering the show crypto map command
without a mapname and index.
Messages Associated with IKE
Phase 2 Problems
IKEFindIPSecSAbySPI
IANA for protocol: IPSec
Problem
The IKE policy for the peer is set
to no initiate.
The peer ID in the crypto map
entry does not match the peer
ID in any IKE policy.
The peer ID in the crypto map
entry and IKE policy are
incorrect.
Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
Best Next Step
Change the IKE initiate mode in
the policy to main or aggressive.
Check the peer ID in the crypto
map entry and IKE policy and
change the incorrect setting.
Verify that you have configured
the correct public IP address for
the peer.
8-79