ZyXEL Communications Internet Security Gateway ZyWALL 2 Series User Manual

ZyWALL 2 Series User’s Guide

Log Descriptions

O-15

Chart O-10 Sample IKE Key Exchange Logs

LOG MESSAGE

DESCRIPTION

vs. My Local

The IP address type or IP address of an incoming
packet does not match the peer IP address type or IP
address configured on the local router. The log
displays this router’s configured local IP address type
or IP address that the incoming packet did not match.

->

The router sent a payload type of IKE packet.

Error ID Info

The parameters configured for Phase 1 ID content do
not match or the parameters configured for the Phase
2 ID (IP address of single, range or subnet) do not
match. Please check all protocols and settings for
these phases.

The following table shows sample log messages during packet transmission.

Chart O-11 Sample IPSec Logs During Packet Transmission

LOG MESSAGE

DESCRIPTION

!! WAN IP changed to

If the ZyWALL’s WAN IP changes, all configured “My IP Addr” are
changed to b “0.0.0.0”. If this field is configured as 0.0.0.0, then the
ZyWALL will use the current ZyWALL WAN IP address (static or
dynamic) to set up the VPN tunnel.

!! Cannot find IPSec SA

The ZyWALL cannot find a phase 2 SA that corresponds with the
SPI of an inbound packet (from the peer); the packet is dropped.

!! Cannot find outbound SA
for rule <%d>

The packet matches the rule index number (#d), but Phase 1 or
Phase 2 negotiation for outbound (from the VPN initiator) traffic is
not finished yet.

!! Discard REPLAY packet

If the ZyWALL receives a packet with the wrong sequence number
it will discard it.

!! Inbound packet
authentication failed

The authentication configuration settings are incorrect. Please
check them.

!! Inbound packet
decryption failed

The decryption configuration settings are incorrect. Please check
them.

Rule <#d> idle time out,

disconnect

If an SA has no packets transmitted for a period of time
(configurable via CI command), the ZyWALL drops the connection.