ZyXEL Communications 10~100 Series manual 87

ZyWALL 10~100 Series Internet Security Gateway

Chart 13-10 Sample IKE Key Exchange Logs

LOG MESSAGE

DESCRIPTION

vs. My Local <IP address>

The IP address type or IP address of an incoming

packet does not match the peer IP address type or IP

address configured on the local router. The log

displays this router’s configured local IP address type

or IP address that the incoming packet did not match.

-> <symbol>

The router sent a payload type of IKE packet.

Error ID Info

The parameters configured for Phase 1 ID content do

not match or the parameters configured for the Phase

2 ID (IP address of single, range or subnet) do not

match. Please check all protocols and settings for

these phases.

LOG MESSAGE

DESCRIPTION

!! WAN IP changed to <IP>

If the ZyWALL’s WAN IP changes, all configured “My IP Addr” are

changed to b “0.0.0.0”. If this field is configured as 0.0.0.0, then the

ZyWALL will use the current ZyWALL WAN IP address (static or

dynamic) to set up the VPN tunnel.

!! Cannot find IPSec SA

The ZyWALL cannot find a phase 2 SA that corresponds with the

SPI of an inbound packet (from the peer); the packet is dropped.

!! Cannot find outbound SA

The packet matches the rule index number (#d), but Phase 1 or

for rule <%d>

Phase 2 negotiation for outbound (from the VPN initiator) traffic is

not finished yet.

!! Discard REPLAY packet

If the ZyWALL receives a packet with the wrong sequence number

it will discard it.

!! Inbound packet

The authentication configuration settings are incorrect. Please

authentication failed

check them.

!! Inbound packet

The decryption configuration settings are incorrect. Please check

decryption failed

them.

Rule <#d> idle time out,

If an SA has no packets transmitted for a period of time

disconnect

(configurable via CI command), the ZyWALL drops the connection.

Log Descriptions

13-15