EZD0917I is displayed to show why the attempt to activate the Phase 1 security association failed. In this case, it failed because the Internet Key Exchange (IKE) daemon could not find an applicable KeyExchangeRule statement for the specified classification. The classification consists of a 4-tuple that is comprised of:

• LocalSecurityEndpoint Location (LSIP)
  

• LocalSecurityEndpoint Identity (LSID)

• RemoteSecurityEndpoint Location (RSIP)

• RemoteSecurityEndpoint Identity (RSID)

In order for IKE to establish a phase 1 SA, it must first locate an applicable phase 1 policy. **KeyExchangeRule**s encapsulate phase 1 policy for IKE.

When IKE needs to locate a KeyExchangeRule statement, it performs a search of the configured KeyExchangeRule statements, supplying specific values or Any for each parameter of the classification 4-tuple.

Use the pasearch -v k -r command to review the configured KeyExchangeRule statements:

• If there is no KeyExchangeRule statement that corresponds to the classification 4-tuple that is given on the EZD0917I message, configure a new KeyExchangeRule statement as needed.

• If the remote system is behind a NAT, ensure that the RemoteSecurityEndpoint location in the KeyExchangeRule is the public address of the remote system.