TMS zl Management and Configuration Guide ST.1.0.090213
D-97
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
The connection will fail for several reasons:
• The local addresses on the local module do not match the remote
addresses on the remote module, and vice versa. The modules do not
consider the addresses to match even though the Any setting includes
the necessary addresses within it.
•The Local port setting on the local module does not match the Remote
port setting on the remote gateway. The local module permits only
FTP traffic from the remote endpoints, but the remote gateway per-
mits the remote endpoints to send any type of traffic.
Note Note that the correct traffic selector in the IPsec policy for a GRE over
IPsec tunnel is:
• Protocol = (47) GRE under IP Protocols
• Local Address = IP address that you configured as the local IP address
for the tunnel (not the tunnel interface IP address)
• Remote Address = actual IP address of the remote tunnel endpoint (not
the tunnel interface IP address)
Look for similar misconfigurations in your traffic selector. (Remember to
check any address objects used in the traffic selector). If necessary, make
changes.
Caution As you make any changes to the traffic selector, verify that the selector
does not match management traffic (traffic from your management sta-
tion to the TMS zl Module). If it does, you will lock yourself out of the
module.
In addition, the local address must not include the local gateway address.
If necessary, create bypass IPsec policies to exclude module IP addresses
from the VPN. See “Configure Bypass and Ignore IPsec Policies” on page
7-84 and Chapter 7: “Virtual Private Networks.”
2. Check the IPsec security settings.
To establish the IPsec tunnel, the TMS zl Module and the remote gateway
must agree on a number of settings. Table D-17 displays those settings and
how they should match up between the module and the remote device.