DSCP: Policy Failure for the incoming packet
By Bob Hueston on Jan 15, 2008
My response to Mike was, "I think, in general, you can ignore the ipsec_check_inbound_policy messages. They are probably happening whenever the SCF is rebooted." But I wanted to provide a more complete response, and the tiny comment block wasn't the right place.
We are seeing ipsec messages in the system log regarding the DSCP addresses. Is there an ipsec configuration option on the host that we should check? # dmesg |tail -1 Jan 14 14:38:42 sco01b ip: [ID 372019 kern.error] ipsec_check_inbound_policy: Policy Failure for the incoming packet (not secure); Source 192.168.037.026, Destination 192.168.037.028.
On a SPARC Entperprise M-class server, the SCF and Solaris use IPsec to authenticate each end of the connection when they set up a domain-to-SCF communication (DSCP) link. If for some reason the SCF reboots (during an SCF failover, when the SCF firmware is upgrade, or manually rebooted, for example), the SCF sends a reset message to Solaris to reset the TCP connection. The reset message is sent in-the-clear. When Solaris sees the message in-the-clear (that is, "not secure"), it logs the policy failure.
If you see this message only when Solaris or the SCF reboots, then it safely can be ignored. If you're seeing this at other times, or continuously logged every second, then contact your service engineer and escalate the problem to Sun.
There was a bug filed against Solaris about these messages (technically it was an RFE -- request for enhancement). In part, the bug says:
This was fixed in OpenSolaris build 37 and Solaris 10 Update 4, and allows you to specify an ipsec_policy_log_interval of 0 to turn off the logging altogether. (Caveat: I haven't actually tried the fix myself.)
The cause of the messages is IPsec, this system recieved a clear text packet but the IPsec policy on this system only allows IPsec encrypted packets, so the system discards the packet. To stop the system logging itself to death, there is a rate limiting function which will only log a message every ipsec_policy_log_interval milliseconds. The default value for ipsec_policy_log_interval is 1000 ( one second ). In certain configurations, messages like this are expected and after a while too many messages will start to become anoying and fill up the messages file. This value can be tunned with ndd upto 999999 milliseconds ( just over 16 minutes ) but can't actually be disabled. This is a request to allow the systems administrator to turn off these messages should they wish.
Hope this provides enough information for you to understand what's going on when you see these messages.