TMS zl Management and Configuration Guide ST.1.0.090213

D-61

Troubleshooting

Troubleshooting the TMS zl Module in Routing Mode

■ IKE SA but no IPsec tunnel

If you see an IKE SA, click the Check status link. If the status indicates

“SA_Mature,” the IKE SA is fully established. However, the IPsec tunnel

has not come up; the connection has failed partway through the process.

In this case, begin by troubleshooting IPsec settings. (See “Troubleshoot

IPsec Settings for a Client-to-Site IPsec VPN” on page D-68.)

If the IKE SA status is different from “SA_Mature,” IKE phase 1 has not

completed. (See “Troubleshoot IKE for a Client-to-Site IPsec Connection”

on page D-61.)

■ IPsec Tunnel

If you see an IPsec tunnel between the module and the remote client, the

connection is up and should carry traffic. Because you are not able to send

traffic over the VPN, you should troubleshoot firewall access policies and

verify that they permit the proper traffic. (See “Troubleshoot Access

Policies for a Client-to-Site IPsec VPN” on page D-70.)

Troubleshoot IKE for a Client-to-Site IPsec Connection. If the IKE SA

fails to establish, try the troubleshooting tips listed in this section.

It is best practice to try one tip at a time, attempting to establish the VPN after

each attempt. Then, re-evaluate the connection:

■ If you can successfully send traffic over the connection, you can stop

troubleshooting.

■ If the IPsec tunnel comes up but traffic cannot reach its destination, move

to “Troubleshoot Access Policies for a Client-to-Site IPsec VPN” on page

D-70.

■ If the IKE SA comes up but the IPsec tunnel fails, move to “Troubleshoot

IPsec Settings for a Client-to-Site IPsec VPN” on page D-68.

■ If the IKE SA fails, continue with the next tip.

If you use the CLI capture command to view IKE messages while you attempt

to initiate a connection from the test client, you can pinpoint the problem more

precisely using Table D-7.