TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

1141

10-65

Troubleshooting

Troubleshooting the TMS zl Module in Routing Mode

b. If the IKE SA comes up, you know that certificates were causing the

problem. Look for these common errors:

– Certificates are not properly loaded on the TMS zl Module. The

module requires a certificate authority (CA) certificate and an

IPsec certificate.

If you cannot load the module’s IPsec certificate, verify that you

have already loaded the CA certificate for the CA that issued the

module’s certificate.

If you are using SCEP to retrieve certificates and a retrieved

certificate does not display in the Web browser interface, verify

that the module has the correct time. The module takes its time

from its host switch.

– The remote endpoint does not have a certificate, or the certificate

is not signed by the module’s CA.

– One or both of the certificates have expired.

– The module or remote endpoint does not have the correct time,

so it cannot validate the peer’s certificate. (The module takes its

time from its host switch.)

– The IKE local ID on the module (type and value) does not match

the subject name in its IPsec certificate.

– The IKE remote ID on the module (type and value) does not match

the subject name in the remote endpoint’s certificate.

– Similarly, the remote endpoint’s local or remote IKE ID could be

misconfigured.

c. After you have found and corrected the error, change the IKE policy

Authentication mode setting back its original setting.

d. Clear the IPsec tunnel and IKE SA and try to establish the VPN.

Determine if the connection was established.

10. At this point, at least the IKE SA should be up. If you were using XAUTH

and have disabled it, re-enable this setting now. Clear the IKE SA and IPsec

tunnel and verify that the IKE SA can still come up. If it does not, you must

troubleshoot XAUTH (see step 8-c on page 10-64.)

11. Verify that the IPsec tunnel is established after the IKE SA comes up and

that the proper traffic can be transmitted. If either test fails, you must

continue troubleshooting as described in the following sections.