Common VPN Connection Manager error messages

Describes of some of the more common VPN Connection Manager error messages you may encounter.

In general, the VPN Connection Manager logs two messages in the QTOVMAN job log when an error occurs with a VPN connection. The first message provides details regarding the error. You can view information about these errors in iSeries™ Navigator by right-clicking the connection in error and selecting Error Information.

The second message describes the action you were attempting to perform on the connection when the error occurred. For example, starting or stopping it. Messages TCP8601, TCP8602, and TCP860A, described below, are typical examples of these second messages.

VPN Connection Manager error messages
Message Cause Recovery
TCP8601 Could not start VPN connection [connection name] Could not start this VPN connection due to one of these reason codes: 0 - A previous message in the job log with the same VPN connection name has more detailed information. 1 - VPN policy configuration. 2 - Communications network failure. 3 - VPN Key Manager failed to negotiate a new security association. 4 - The remote endpoint for this connection is not configured properly. 5 - VPN Key Manager failed to respond to VPN Connection Manager. 6 - IP Security Component VPN connection load failure. 7 - PPP Component failure.
  1. Check the job logs for additional messages.
  2. Correct the errors and try the request again.
  3. Use iSeries Navigator to view the connection status. Connections that could not start will be in error state.
TCP8602 Error occurred stopping VPN connection [connection name] The specified VPN connection was requested to be stopped, however, it did not stop or stopped in error due to Reason Code: 0 - A previous message in the job log with the same VPN connection name has more detailed information. 1 - The VPN connection does not exist. 2 - Internal communications failure with VPN Key Manager. 3 - Internal communications failure with IPSec component. 4 - Communication failure with VPN connection remote endpoint.
  1. Check the job logs for additional messages.
  2. Correct the errors and try the request again.
  3. Use iSeries Navigator to view the connection status. Connections that could not start will be in error state.
TCP8604 Start of VPN connection [connection name] failed A start of this VPN connection failed due to one of these reason codes: 1 - Could not translate the remote host name to an IP address. 2 - Could not translate the local host name to an IP address. 3 - VPN policy filter rule associated with this VPN connection is not loaded. 4 - A user-specified key value is not valid for its associated algorithm. 5 - The initiation value for the VP connection does not allow the specified action. 6 - A system role for the VPN connection is inconsistent with information from the connection group. 7 - Reserved. 8 - Data endpoints (local and remote addresses and services) of this VPN connection are inconsistent with information from the connection group. 9 - Identifier type not valid.
  1. Check the job logs for additional messages.
  2. Correct the errors and try the request again.
  3. Use iSeries Navigator to check or correct the VPN policy configuration. Ensure that the dynamic-key group associated with this connection has acceptable values configured.
TCP8605 VPN Connection Manager could not communicate with VPN Key Manager The VPN Connection Manager requires the services of the VPN Key Manager to establish security associations for dynamic VPN connections. The VPN Connection Manager could not communicate with the VPN Key Manager.
  1. Check the job logs for additional messages.
  2. Verify the *LOOPBACK interface is active by using the NETSTAT OPTION(*IFC) command.
  3. End the VPN server by using the ENDTCPSVR SERVER(*VPN) command. Then restart the VPN server by using the STRTCPSRV SERVER(*VPN) command.
    Note: This causes all current VPN connections to end.
 
TCP8606 The VPN Key Manager could not establish the requested security association for connection, [ connection name] The VPN Key Manager could not establish the requested security association due to one of these reason codes: 24 - VPN Key Manager key connection authentication failed. 8300 - Failure occurred during VPN Key Manager key connection negotiations. 8306 - No local preshared key found. 8307 - No remote IKE phase 1 policy found. 8308 - No remote preshared key found. 8327 - VPN Key Manager key connection negotiations timed out. 8400 - Failure occurred during VPN Key Manager VPN connection negotiations. 8407 - No remote IKE phase 2 policy found. 8408 - VPN Key Manager VPN connection negotiations timed out. 8500 or 8509 - VPN Key Manager network error has occurred.
  1. Check the job logs for additional messages.
  2. Correct the errors and try the request again.
  3. Use iSeries Navigator to check or correct the VPN policy configuration. Ensure that the dynamic-key group associated with this connection has acceptable values configured.
TCP8608 VPN connection, [connection name], could not obtain a NAT address This dynamic-key group or data connection specified that network address translation (NAT) be done on one or more addresses, and that failed due to one of these likely reason codes: 1 - Address to apply NAT to is not a single IP address. 2 - All available addresses have been used.
  1. Check the job logs for additional messages.
  2. Correct the errors and try the request again.
  3. Use iSeries Navigator to check or correct the VPN policy. Ensure that the dynamic-key group associated with this connection has acceptable values for addresses configured.
TCP8620 Local connection endpoint not available Could not enable this VPN connections because the local connection endpoint was not available.
  1. Check the job logs for additional messages pertaining to this connection.
  2. Make sure the local connection endpoint is defined and started by using the NETSTAT OPTION(*IFC) command.
  3. Correct any errors and try the request again.
TCP8621 Local data endpoint to available Could not enable this VPN connection because the local data endpoint was not available.
  1. Check the job logs for additional messages pertaining to this connection.
  2. Make sure the local connection endpoint is defined and started by using the NETSTAT OPTION(*IFC) command.
  3. Correct any errors and try the request again.
TCP8622 Transport encapsulation not permitted with a gateway Could not enable this VPN connection because the negotiated policy specified transport encapsulation mode and this connection is defined as a security gateway.
  1. Check the job logs for additional messages pertaining to this connection.
  2. Use iSeries Navigator to change the VPN policy associated with this VPN connection.
  3. Correct any errors and try the request again.
TCP8623 VPN connection overlaps with an existing one Could not enable this VPN connection because an existing VPN connection is already enabled. This connection has a local data endpoint of, [local data endpoint value] and a remote data endpoint of, [remote data endpoint value].
  1. Check the job logs for additional messages pertaining to this connection.
  2. Use iSeries Navigator to view all enabled connections that have local data endpoints and remote data endpoints overlapping the connection. Change the policy of the existing connection if both connections are required.
  3. Correct any errors and try the request again.
TCP8624 VPN connection not within scope of associated policy filter rule Could not enable this VPN connection because the data endpoints are not within the defined policy filter rule.
  1. Check the job logs for additional messages pertaining to this connection.
  2. Use iSeries Navigator to display the data endpoint restrictions for this connection or dynamic-key group. If Subset of policy filter or Customize to match policy filter is selected, then check the data endpoints of the connection. These must fit within the active filter rule that has an IPSEC action and a VPN connection name associated with this connection. Change the existing connection's policy or the filter rule to enable this connection.
  3. Correct any errors and try the request again.
TCP8625 VPN connection failed an ESP algorithm check Could not enable this VPN connection because the secret key associated with the connection was insufficient.
  1. Check the job logs for additional messages pertaining to this connection.
  2. Use iSeries Navigator to display the policy associated with this connection and enter a different secret key.
  3. Correct any errors and try the request again.
TCP8626 VPN connection endpoint is not the same as the data endpoint Could not enable this VPN connection because the policy specifies that it is a host, and the VPN connection endpoint is not the same as the data endpoint.
  1. Check the job logs for additional messages pertaining to this connection.
  2. Use iSeries Navigator to display the data endpoint restrictions for this connection or dynamic-key group. If Subset of policy filter or Customize to match policy filter is selected, then check the data endpoints of the connection. These must fit within the active filter rule that has an IPSEC action and a VPN connection name associated with this connection. Change the existing connection's policy or the filter rule to enable this connection.
  3. Correct any errors and try the request again.
TCP8628 Policy filter rule not loaded The policy filter rule for this connection is not active.
  1. Check the job logs for additional messages pertaining to this connection.
  2. Use iSeries Navigator to display the active policy filters. Check the policy filter rule for this connection.
  3. Correct any errors and try the request again.
TCP8629 IP packet dropped for VPN connection This VPN connection has VPN NAT configured and the required set of NAT addresses has exceeded the available NAT addresses.
  1. Check the job logs for additional messages pertaining to this connection.
  2. Use iSeries Navigator to increase the number of NAT addresses assigned for this VPN connection.
  3. Correct any errors and try the request again.
TCP862A PPP connection failed to start This VPN connection was associated with a PPP profile. When it was started, an attempt was made to start the PPP profile, but a failure occurred.
  1. Check the job logs for additional messages pertaining to this connection.
  2. Check the job log associated with the PPP connection.
  3. Correct any errors and try the request again.
Parent topic: Troubleshoot VPN with the VPN job logs
Related tasks
View the attributes of active connections