Destroying a local key pair – H3C Technologies H3C S12500-X Series Switches User Manual

166

259B

IPsec SA negotiation failed because no matching IPsec
transform sets were found

486B

Symptom

1.

The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD
state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated

yet.

2.

The following IKE debugging message appeared:

The attributes are unacceptable.

Or:

Construct notification packet: NO_PROPOSAL_CHOSEN.

487B

Analysis

Certain IPsec policy settings are incorrect.

488B

Solution

1.

Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets.

2.

Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets.

260B

IPsec SA negotiation failed due to invalid identity information

489B

Symptom

1.

The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD

state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated

yet.

2.

The following IKE debugging message appeared:

Notification INVALID_ID_INFORMATION is received.

Or:

Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA.

Construct notification packet: INVALID_ID_INFORMATION.

490B

Analysis

Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows:

1.

Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE
negotiation phase 1. If no matching IKE profiles were found and the IPsec policy is referencing an

IKE profile, the IPsec SA negotiation fails.
# Verify that matching IKE profiles were found in IKE negotiation phase 1.

display ike sa verbose

-----------------------------------------------

Connection ID: 3

Outside VPN:

Inside VPN:

Profile:

Transmitting entity: Responder

-----------------------------------------------