Cisco Cisco Packet Data Gateway (PDG)
ePDG Administration Guide, StarOS Release 17 ▄
113
Chapter 5
IKEv2 Error Codes and Notifications
This appendix lists the IKEv2 error codes and notifications supported by the ePDG (evolved Packet Data Gateway).
The following table lists the IKEv2 error codes generated by the ePDG.
Table 24.
IKEv2 Error Codes Generated by the ePDG
Value
Error Code
ePDG Support
1
UNSUPPORTED_CRITICAL_PAYLOAD The ePDG sends this code if the Critical Bit exists in the received message
and the Payload Type is unrecognized.
4
INVALID_IKE_SPI
The ePDG does not send this code. The ePDG ignores messages with an
unrecognized SPI in order to minimize the impact of DoS attacks.
unrecognized SPI in order to minimize the impact of DoS attacks.
5
INVALID_MAJOR_VERSION
The ePDG sends this code in response to messages with an invalid Major
Version. The ePDG supports a CLI command to suppress sending this error
notification in response to IKE_SA_INIT Request messages. This is done
in order to avoid DoS attacks.
Version. The ePDG supports a CLI command to suppress sending this error
notification in response to IKE_SA_INIT Request messages. This is done
in order to avoid DoS attacks.
7
INVALID_SYNTAX
The ePDG sends this code upon receiving messages with an inappropriate
format, or when necessary payloads are missing. The ePDG does not send
this code during IKE_SA_INIT exchanges for an unknown IKE SA. The
ePDG sends this code for non-IKEv2 INIT exchanges only (such as
IKE_AUTH, CREATE_CHILD_SA, or INFORMATIONAL exchanges).
The ePDG also supports a CLI command to suppress sending this error
notification. This is done in order to avoid DoS attacks.
format, or when necessary payloads are missing. The ePDG does not send
this code during IKE_SA_INIT exchanges for an unknown IKE SA. The
ePDG sends this code for non-IKEv2 INIT exchanges only (such as
IKE_AUTH, CREATE_CHILD_SA, or INFORMATIONAL exchanges).
The ePDG also supports a CLI command to suppress sending this error
notification. This is done in order to avoid DoS attacks.
9
INVALID_MESSAGE_ID
The ePDG sends this code in INFORMATIONAL Request messages only.
The ePDG also supports a CLI command to suppress sending this error
notification in response to IKE_SA_INIT Request messages. This is done
in order to avoid DoS attacks.
The ePDG also supports a CLI command to suppress sending this error
notification in response to IKE_SA_INIT Request messages. This is done
in order to avoid DoS attacks.
11
INVALID_SPI
The ePDG does not send this code. The ePDG ignores ESP packets with an
unrecognized SPI in order to minimize the impact by DoS attacks.
unrecognized SPI in order to minimize the impact by DoS attacks.
14
NO_PROPOSAL_CHOSEN
The ePDG sends this code when it cannot not choose a proposal from the
UE. The ePDG supports a CLI command to suppress sending this code.
UE. The ePDG supports a CLI command to suppress sending this code.
17
INVALID_KE_PAYLOAD
The ePDG sends this code when the IKE payload from the UE is invalid.
24
AUTHENTICATION_FAILED
The ePDG sends this code during the EAP authentication when EAP
authentication fails.
authentication fails.
35
NO_ADDITIONAL_SAS
The ePDG sends this code when a CREATE_CHILD_SA Request message
is unacceptable because the ePDG is unwilling to accept any more CHILD
SAs on the IKE_SA.
is unacceptable because the ePDG is unwilling to accept any more CHILD
SAs on the IKE_SA.