Question & Answer
Question
We are getting this error message when attempting to activate a Security Association:
EZD1909I IP validation failed: the remote identity peer_id does not match remote IP address peer_ip_addr
How do we resolve this issue?
Answer
This message indicates that the local policy required that the IP type identity of the internet key exchange (IKE) peer be validated by comparing it to the IP address of the IKE peer, and that the IP validation failed because the remote identity received from the IKE peer does not match the IP address of the IKE peer.
Additional diagnostic messages with the same message instance number will be issued to identify the impacted Security Association (SA).
Locate the KeyExchangeRule statement in the IP Security (IPSec) policy definitions associated with the impacted SA. Set the BypassIPValidation parameter to yes in the associated KeyExchangeAction statement to avoid the IP validation check or change the associated RemoteSecurityEndpoint Identity parameter to include the remote peer IP address. The IP validation check can be overridden globally by using the ByPassIPValidation parameter on the KeyExchangePolicy statement in the IPSec policy. The BypassIPValidation parameter should be set to yes if the RemoteSecurityEndpoint peer is behind a network address translation (NAT) device.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
08 May 2018
UID
dwa1334644