| SRDB ID | Synopsis | Date | ||
| 47324 | Sun Fire[TM] 12K/15K: ip: ip_fanout_tcp_listen: Dropping the datagram because the incoming packet is secure | 9 Oct 2002 |
| Status | Issued |
| Description |
A Sun Fire[TM] 12K/15K domain displays the following message:
Mar 28 13:25:55 ha1a ip: ip_fanout_tcp_listen: Dropping the datagram because the incoming packet is secure, but the recipient expects clear; Source 010.254.001.001, Destination 010.254.001.002.
SOLUTION SUMMARY:
Explanation:
This message can show up if IPSec communication has been enabled. Check out the file /etc/inet/ipsecinit.sample for details of IPSec and how to configure it. If IPSec is installed, the node will have the files /etc/inet/ipsecinit.conf and /etc/inet/ipsecpolicy.conf configured. Most likely the error is the result of an improperly configured file.
Action:
It might be helpful to compare /etc/inet/ipsecinit.conf and /etc/inet/ipsecpolicy.conf on a system exhibiting the error with a system that doesn't exhibit the error to determine what the problem is with the system exhibiting the error.
Here's what the /etc/inet/ipsecinit.sample file looks like:
root@mc15k-sc0 # cat ipsecinit.sample
#
#ident "@(#)ipsecinit.sample 1.4 99/04/28 SMI"
#
# Copyright (c) 1999 by Sun Microsystems, Inc.
# All rights reserved.
#
# This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec.
# Even if this file has no entries, IPsec will be loaded if
# /etc/inet/ipsecinit.conf exists.
#
# Add entries to protect the traffic using IPSEC. The entries in this
# file are currently configured using ipsecconf from inetinit script
# after /usr is mounted.
#
# For example,
#
# {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared}
# {sport 23} permit {encr_algs des encr_auth_algs md5}
#
# will protect the telnet traffic to/from the host with ESP using DES and
# MD5. Also:
#
# {daddr 10.5.5.0/24} apply {auth_algs any sa shared}
# {saddr 10.5.5.0/24} permit {auth_algs any}
#
# will protect traffic to/from the 10.5.5.0 subnet with AH using any available
# algorithm.
#
#
# WARNING: This file is read before default routes are established, and
# before any naming services have been started. The
# ipsecconf(1M) command attempts to resolve names, but it will
# fail unless the machine uses files, or DNS and the DNS server
# is on-subnet (i.e. reachable without a default route).
#
# It is suggested that for this file, use hostnames only if
# they are in /etc/hosts, or use numeric IP addresses.
#
# If DNS gets used, the DNS server is implicitly trusted, which
# could lead to compromise of this machine if the DNS server
# has been compromised.
# INTERNAL SUMMARY: