Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
181182183184185186187188189190
IKE Fault Diagnosis and Troubleshooting 185
IKE Fault Diagnosis
and Troubleshooting
When configuring parameters to establish IPsec security channel, you can enable
the Error debugging of IKE to help us find configuration problems. The command
is as follows:
<SW8800> debugging ike error
Symptom 1: Invalid user ID information
Troubleshooting: User ID is the data that the user initiating the IPsec
communication uses to identify itself. In actual applications, you can make use of
user ID to set up different security channels for various types of data traffic for the
sake of protection. In the implementation of 3Com Corporation, a user is so far
identified by its IP address.
Following is the debugging information you may view on the screen:
got NOTIFY of type INVALID_ID_INFORMATION
Or
drop message from A.B.C.D due to notification type INVALID_ID_INFORM
ATION
Check whether the ACLs of the IPsec policies configured on the interfaces at both
ends of the negotiation are compatible. The user is recommended to configure the
ACLs to mirror each other. For more information about ACL mirror, refer to Section
Configure ACL in IPsec Configuration.
Symptom 2: Proposal mismatch
Troubleshooting:
Following is the debugging information you may view on the screen:
got NOTIFY of type NO_PROPOSAL_CHOSEN
Or
drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN
The two parties of the negotiation have no matched proposal. For the negotiation
at stage 1, you can look up the IKE proposals for a match. For the negotiation at
stage 2, you can check whether the parameters of the IPsec polices applied on the
interfaces are matched, and whether the referenced IPsec proposals have a match
in protocol, encryption and authentication algorithms.
Symptom 3: Unable to establish security channel
Troubleshooting: Check whether the network is stable and the security channel is
established correctly. Sometimes there is a security channel but there is no way to
communicate, and ACL of both parties are found correctly configured, and there is
also matched policy.
In this case, the problem is usually cased by the restart of one security gateway
after the security channel is established. Solution: