Symantec™ Security Gateways Reference Guide - Sawmill

Log messagesNotice messages (200-299)169227 - VPN packet dropped because peer used incorrect compression algorithm. To accept anyalgorithm used by peer, set “vpnd.strict_decompression_check=False” in config.cfDescription: By default, a security gateway rejects a tunnel when the compression algorithm does not match thealgorithm in the tunnel policy. You can override this behavior by setting vpnd.strict_decompression_checkto False in the advanced options. A simpler method is to modify the tunnel policy to accept either one ofthe compression algorithm.227 - VPN packet dropped because received IP compression packet on a tunnel that was notconfigured for compressionDescription: This message is atypical and results from a configuration error.227 - VPN packet dropped because the IP encapsulating protocol is not appropriate for tunnelDescription: This is sometimes a catch all error. For example, the hardware refused to decrypt a packet for an unknownreason.227 - VPN packet dropped because the packet has incorrect encryption paddingDescription: ESP packets are typically padded to a boundary. An IPsec convention defines the padding contents of anESP packet. Normally, the padding is not checked. But, if the check is turned on, a packet is dropped whenthe padding does not match the constant pattern.227 - VPN packet dropped because the packet is either too old or has been received before bytunnel (potential replay attack)Description: Associated with each IPsec packet is an increasing sequence number.An IPsec feature is protection against replay of the same packets. When the same encrypted packet is sentagain for some reason, the packet is dropped. This is called replay attack protection.This feature is implemented by maintaining a sliding window of packets received. The default ReplayWindow Size is 128. When the same packet is sent again or a packet is received outside of the window, thepacket is dropped.Getting these messages occasionally is normal, given the fluctuation of network transmission. Thesemessages can appear more frequently when multiple data streams are traversing the same tunnel at thesame time.It is possible to increase the size of the window and it is possible to disable this security check altogether.227 - VPN packet dropped because unknown compression algorithmDescription: This message is atypical and results from a configuration error.228 - Cannot connect to portDescription: The proxy is unable to connect to a specific server on the given port. The resource parameter identifies theport.228 - Cannot connect to port (local port already in use, retrying)Description: A connection attempt failed because the requested port is already in use. The security gateway is tryingagain to create the connection.