TMS zl Management and Configuration Guide ST.1.1.100226
10-72
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
■ If you can successfully send traffic over the connection, you can stop
troubleshooting.
■ If the VPN connection on the client comes up but traffic cannot reach its
destination, continue with “Troubleshoot Access Policies for a Client-to-
Site L2TP over IPsec VPN” on page 10-81.
■ If the IPsec tunnel comes up on the TMS zl Module but the VPN connection
on the test client does not, continue with “Troubleshoot L2TP Local User
Settings” on page 10-79.
■ If the IKE SA comes up but the IPsec tunnel does not, continue with
“Troubleshoot IPsec Settings for a Client-to-Site L2TP over IPsec VPN” on
page 10-78.
■ If the IKE SA does not come up, continue to the next tip.
If you enter the capture command and view the IKE messages, you can use
Table 10-11 to identify the problem.
Table 10-11. IKE capture Messages
If you do not want to activate the capture command, try these tips in order:
1. Verify that the firewall access policies allow IKE and L2TP.
Ensure that the access policies permit the following traffic between the
TMS zl Module and the remote clients:
Example capture Messages Problem Begin Troubleshooting At:
No messages The module is not receiving or accepting
the remote client’s IKE messages.
Step 1 on page 10-72
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1
I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1
R inf
The module and the remote client’s IKE
security settings do not match.
Step 7 on page 10-75
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1
I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1
R ident
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1
I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1
R ident
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1
I ident[E]
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1
R ident[E]
IP tms1.isakmp > tms2.isakmp: isakmp: phase
2/others I inf[E]
IKE authentication fails:
• The local or remote ID are incorrect.
• The preshared key is miskeyed.
• Certificates are misconfigured (see
step 8 on page 10-77).
Step 7 on page 10-75