Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1141114211431144114511461147114811491150
10-71
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
This window displays IKE SAs and IPsec VPN tunnels. The IKE SA is a
temporary tunnel that must be established before the IPsec tunnel can be
established. The IPsec tunnel is the connection over which users send
encrypted traffic.
Depending on what you see in the VPN > IPsec > VPN connections window, you
can plan which part of the VPN connection you need to troubleshoot.
No IKE SA or IPsec tunnel
If you do not see either an IKE SA or an IPsec tunnel for the connection,
IKE is not initiating or is failing to complete. If this is the case, begin by
troubleshooting IKE. (See “Troubleshoot IKE for an L2TP over IPsec VPN
on page 10-71.)
IKE SA but No IPsec tunnel
If you see an IKE SA, click the Check status link. If the status indicates
“SA_Mature,” the IKE SA is fully established. However, the IPsec tunnel
has not come up; the connection has failed partway through the process.
In this case, begin by troubleshooting IPsec settings. (See “Troubleshoot
IPsec Settings for a Client-to-Site IPsec VPN” on page 10-66.)
If the IKE SA status is different from “SA_Mature,” IKE phase 1 has not
completed. (See “Troubleshoot IKE for a Client-to-Site IPsec Connection”
on page 10-59.)
IPsec tunnel
If you see an IPsec tunnel between the module and the remote client,
check your test client:
If the VPN connection is not connected, troubleshoot the L2TP dial-
in settings. (See “Troubleshoot L2TP Local User Settings” on page
10-79).
If the VPN connection is up, troubleshoot firewall access policies and
verify that they permit the proper traffic. (See “Troubleshoot Access
Policies for a Client-to-Site L2TP over IPsec VPN” on page 10-81.)
Troubleshoot IKE for an L2TP over IPsec VPN. If the IKE SA fails to
establish, try the troubleshooting tips in this section.
It is best practice to try one tip at a time, attempting to establish the VPN
connection on the test client after each change. After each attempt, re-evaluate
the connection: