TMS zl Management and Configuration Guide ST.1.0.090213
D-96
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
c. After you have found and corrected the error, change the IKE policy
Authentication mode setting back its original setting.
d. Clear the IPsec tunnel and IKE SA and try to establish the VPN.
e. Check the status of the VPN connection and determine your next step.
10. At this point, at least the IKE SA should be up. If you were using XAUTH
and have disabled it, re-enable this setting now. Clear the IKE SA and IPsec
tunnel and verify that the IKE SA comes up. If it does not, you must
troubleshoot XAUTH (see step 8-b on page D-94.)
11. Verify that the IPsec tunnel is established after the IKE SA comes up and
that the proper traffic can cross it. If necessary, continue troubleshooting.
Troubleshoot IPsec Settings for a Site-to-Site VPN. To troubleshoot
IPsec settings for a site-to-site VPN, try these tips.
It is best practice to clear the IKE SA and attempt to re-establish the VPN
connection after making each change. Then re-evaluate the connection:
■ If the traffic can reach its destination, you can stop troubleshooting.
■ If the traffic cannot reach its destination but the IPsec tunnel comes up,
continue with “Access Policies for Site-to-Site VPNs” on page D-98.
■ If the IPsec tunnel does not come up, continue with the next tip.
1. Sometimes the IPsec traffic selector is correct enough to allow IKE to
initiate. However, it does not match the remote gateway’s selector.
The protocol, local addresses and local ports (if configured) must match
exactly the protocol, remote addresses, and remote ports (if configured)
on the remote gateway.
For example, suppose that the local TMS zl Module has this traffic
selector:
• Protocol: TCP
• Local addresses: 10.1.4.0/21
• Local port: 21
• Remote addresses: Any
• Remote port: Any
The remote gateway has this traffic selector:
• Protocol: TCP
• Local addresses: 10.1.8.0/21
• Local port: Any
• Remote addresses: Any
• Remote port: Any