Last updated on: June 19 2024.

IKEv2 Log Analysis

This page describes how to interpret logging found in ipsec.log.

If possible, debug2 logs should be enabled to see more detailed logs. Most of the logging described below will not appear at the default log level.

To enable debug2 logs, refer to Enable IPsec Debug.

The majority of IPsec tunnels in the world are IKEv2, so this page contains only IKEv2 related messages. Refer to the IKEv1 Log Anaysis page for IKEv1 analysis.

Common Log Messages and Meaning

This page is a work in progress and more material will be added over time.

These logs are drawn from examples found in /var/log/ipsec.log.


info tmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xb9e04f9831b6d377-0x92f7016301791cc2][R] [PROTO_ERR]: message lacks KE payload

The initiator sent this BIG-IP a proposal that was missing the PFS parameter, which the BIG-IP is expecting. This is a fatal error.


info tmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xb9e04f9831b6d377-0x92f7016301791cc2][R] [PROTO_ERR]: ike_sa ABORT, err 110

The IPsec negotiation failed for reasons normally found in the preceding logs.


info tmm[16338]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xa621fea8ec074ba9-0x90054164f78ecdcd][I] [PROTO_WARN]: received a message to a dead IKE SA

or

info tmm[16338]: 017c0000 [0.0] [IKE] [PROTO_WARN]: message to a nonexistent ike_sa

The remote peer sent an ISAKMP packet to the BIG-IP using a cookie that the BIG-IP did not have, normally because the BIG-IP recently deleted the SA.


info tmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xbabf623a8fa1e13f-0x10d7f4bb4e866676][R] [PROTO_ERR]: retransmission count exceeded the limit

The BIG-IP is not having much luck negotiating a tunnel with the peer and has given up. It will likely try again after a new initiator cookie is generated.


info tmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xd000ade40d63c0ae-0xf6bd410daf758ee0][R] [PROTO_WARN]: ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
infotmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xd000ade40d63c0ae-0xf6bd410daf758ee0][R] [PROTO_WARN]: ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)

The BIG-IP does not support NAT-D in this phase of the ISAKMP negotiation, so ignores the payload. This is not a fatal problem.


info tmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xd000ade40d63c0ae-0xf6bd410daf758ee0][R] [PROTO_WARN]: vendor id payload ignored

The peer sent a payload indicating that it supported an option that the BIG-IP does not support. The payload itself may be explained in the preceding log lines. This is normally not a fatal problem.


info tmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0x2010dcf80a646153-0x934fafcb5c049dcc][I] [INFO]: received Notify payload protocol 0 type NO_PROPOSAL_CHOSEN
info tmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0x2010dcf80a646153-0x934fafcb5c049dcc][I] [INFO]: Unknown notification payload (type NO_PROPOSAL_CHOSEN)

The remote peer did not like the configuration of the BIG-IP and sent a message to say so. This is a fatal error.


info tmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xb9e04f9831b6d377-0x92f7016301791cc2][R] [INFO]: received DELETE IKE_SA

The remote peer deleted an IKE_SA and informed the BIG-IP. Reasons can include lifetime exceeded or user intervention. This may lead to the tunnel going down, but interesting traffic will re-establish the tunnel if required.


info tmm[20647]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0x1a59728db0d73db4-0x7a5ed19fa5b5fc81][R] [INFO]: delete proto ESP spi 0x352c4dc4

The remote peer deleted the tunnel and informed the BIG-IP. Reasons can include lifetime exceeded or user intervention. Traffic should cause the tunnel to re-establish.


info tmm[16338]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xcb97f9792f102176-0xd081ed9cc8f754c4][I] [INFO]: ignoring notification payload (type NAT_DETECTION_SOURCE_IP) inside unauthenticated response
info tmm[16338]: 017c0000  [0.0] [IKE] v2 192.0.2.1%0-198.51.100.1%0 [0xcb97f9792f102176-0xd081ed9cc8f754c4][I] [INFO]: ignoring notification payload (type NAT_DETECTION_DESTINATION_IP) inside unauthenticated response

The remote peer sent these payloads at an unexpected moment. This indicates that the remote peer and BIG-IP are not in sync over what stage of the tunnel negotiation they are at.


info tmm[5637]: 017c0000 [0.2] [IKE] v2 159.253.88.196%104-188.203.195.103%104 [0xcf8e2f5ed0d57c8-0x7a6dec9048f59d3e][I] [PROTO_WARN]: received Notify payload protocol 0 type SET_WINDOW_SIZE

The BIG-IP didn’t recognise the payload from the peer, in this case SET_WINDOW_SIZE. When this warning appears, there may be a PROTO_ERR message following it.


info tmm[5637]: 017c0000 [0.2] [IKE] v2 159.253.88.196%104-188.203.195.103%104 [0xcf8e2f5ed0d57c8-0x7a6dec9048f59d3e][I] [PROTO_ERR]: unexpected critical payload (type 43)

The peer sent something unexpected and it was a mandatory negotiation option. Look at the preceding log messages to see what it was. This is a fatal error.


info tmm[16338]: 017c0000 [0.0] [IKE] [INTERNAL_WARN]: PF_KEY SADB_EXPIRE message (seq=0xddc65) does not have corresponding request. (ignored)

Called when kernel SA expires or receives SADB DELETE. The IKEv2 code could not find a corresponding SA to delete. This is unusual, but can be seen happening when a user manually deletes an ipsec-sa, in such case a delete operation should be seen in the audit logfile. A corresponding message in the tmm log along may appear along these lines:

notice pfkeydb_ipsec_sa_delete/209: PFKDB: Unable to delete IPSEC SA ERR_NOT_FOUND

Jun 19 00:51:00 bigip-2-1.lab info tmm[28432]: 017c0000  [0.6] [IKE] v2 172.16.2.1%0-172.16.1.1%0 [0x0e40a6f526fd643e-0x442e74a9bc641f4a][R] [INFO]: ikev2_process_request: [WINDOW SIZE QUEUE] Out-Of-Order ike_sa=0x400282fd06c8 recv msg_id=0x1 expected=0x2 SPI 442e74a9bc641f4a 0e40a6f526fd643e

After a major config configuration (for example converting a tunnel from “tunnel” mode to “interface” mode) the BIG-IP’s config state may be left in an ambiguous state. In this case, bigstart restart tmipsecd may resolve the issue.


info tmm[16338]: 017c0000 [0.0] [IKE] [INFO]: PROTO_SUCCESS 192.0.2.1[500] -> 198.51.100.1[500] SPI(0x817de2fa) outbound ESP tunnel SADB_ADD
info tmm[16338]: 017c0000 [0.0] [IKE] [INFO]: PROTO_SUCCESS 198.51.100.1[500] -> 192.0.2.1[500] SPI(0x962adae) inbound ESP tunnel SADB_UPDATE

By some miracle the tunnel is up.


Top | Flowchart | Contents