test

SunScreen SKIP User's Guide, Release 1.5.1

Appendix C Troubleshooting SunScreen SKIP

The following information is provided to help you troubleshoot any problems with SunScreen SKIP. You should also consult "Is SKIP Working?".

Emergency Start Instructions

System Hangs and You Cannot Access the Machine

If your system hangs when you are configuring SKIP and you do not have access to your machine, reboot your machine in the single-user mode and become root.

  1. With a text editor, such as vi, edit the file acl.network_interface in the /etc/skip/ directory so that line 


    skiphost -i <network_interface>-o on

    reads 


    skiphost -i network_interface -o off

    This will to disable SKIP.

  2. Reboot your machine normally to clean up the file system.

  3. You, then, as root, may reconfigure your access control list as your security policy dictates.

System Hangs, But You Still Can Become Root

  1. If your system hangs when you are configuring SKIP and you still have access to your machine and can become root, enter


    # skiphost -o off -i network_interface

    This will disable SKIP on the network interface

  2. Then, as root, you may reconfigure your access control list as your security policy dictates.

Error Messages

The following error messages may possibly occur during your operation of SKIP software.


N-counter out of range - either replayed packets or out of sync clocks

"Old" packets have been received by SKIP. This indicates either that, typically, the sending machine's clock is not in synchronization with your machine's clock or that, rarely, an intermediary is sending old packets in a replay attack.


Certificate g+p do not match dh_params

An entry in your access control list has a local identity and remote identity that do not have matching Diffie-Hellman parameters (g is the generator value, p is the prime value). This is typically caused when you try to talk to a system with moduli that do not match (i.e., a 1024-bit system trying to talk to a 512-bit system using 1024-bit keys).


Local secret nsid=xx mkid=xx has expired. Deleting

Your local secret has expired. Generate a new local identity.


Unable to load skipsup.o -- Exiting!

The SKIP support module could not be loaded. Typically, this means that one of the necessary libraries is not available on the machine that is attempting to run SKIP. Ensure that your system has the required software packages installed according to the instructions in the SunScreen User's Guide.


Modulus too big for U.S. export law

You have attempted to load a key that is not permitted under U.S. export law. Make sure that you have installed both the base SKIP package and any SKIP encryption upgrade packages that you have purchased under appropriate U.S. export license control.


skipd: passphrase required issue skipd_restart to enable encryption

The key manager cannot start without a password to decrypt local secrets. Use the command skip_restart to start the key manager.