Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1041104210431044104510461047104810491050
D-94
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
The security settings (encryption algorithm, authentication algo-
rithm, Diffie-Hellman group, and SA lifetime) do not match exactly.
If you are troubleshooting a VPN between TMS zl Modules, set the
security parameters to their default settings. If this change allows the
connection to come up, you can try changing the settings on both sides
of the connection to the settings that you want to use.
If you make any corrections to the IKE policy, try to send VPN traffic from
the test device. Then re-evaluate. If you must continue troubleshooting,
leave any changes to the IKE policy that you are confident are corrections.
However, if you experimented with a change, and the experiment did not
solve the problem, you should revert to your original settings.
8. In the previous step, you checked the general IKE policy. However, you
might need to do additional troubleshooting when the policy specifies
XAUTH.
a. If you have access to the remote gateway, disable XAUTH on both the
TMS zl Module and the remote gateway:
i. Edit the IKE policy on the TMS zl Module and disable XAUTH (the
setting is in the Edit IKE Policy—Step 3 of 3 window).
ii. Disable XAUTH on the remote gateway.
iii. Attempt to send VPN traffic from the test device.
If the connection still does not come up, move to 9 on page D-95.
Note Leave XAUTH disabled in case both XAUTH and another setting are
causing the problem. You will re-enable XAUTH when you have
finished troubleshooting the connection.
b. If the IKE SA now comes up, you know that XAUTH is causing
problems and you must trouble shoot it. Also troubleshoot XAUTH if
you could not disable it in the previous step.
If the TMS zl Module was acting as an XAUTH server, look for these
problems:
A misconfigured IP address for the module’s external RADIUS
server
A mismatch between the password on the remote gateway and
the external RADIUS server or local user account
A mismatch between the authentication protocol on the two
gateways
An external RADIUS server that does not support the correct
authentication protocol