Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1151115211531154115511561157115811591160
10-74
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
TMS zl Module receives traffic from the remote endpoints. If the remote
endpoints are in multiple zones, you must create access policies to and
from each zone.
If you are missing any of these access policies, add them now.
You might also try configuring access policies that permit this traffic to
and from each zone and the Self zone (in case you have mistaken the
remote clients’ zone).
Note When you create new access policies, enable logging on them for the
purposes of troubleshooting.
Your access policies might already permit the proper traffic but specify
particular IP addresses for remote endpoints. If so, try creating temporary
access policies that permit IKE, NAT-T, and L2TP traffic to and from any
IP address. If the IKE SA is established, your original access policies were
misconfigured. Check these policies for miskeyed IP addresses or mis-
configured address objects. Also verify that the original access policies
were to and from the correct zone.
After you resolve the misconfiguration, delete any temporary firewall
policies. Clear the IKE SA and verify that the reconfigured policies con-
tinue to work. If so, re-evaluate the VPN connection and take the appro-
priate next steps (if any).
2. Check routes in the Network > Routing > Static Routes window and verify
that the correct ones are in place.
To complete IKE, the TMS zl Module must have the correct routes to the
remote endpoints. Often, when endpoints are reached through the Inter-
net, this route is the module’s default route, but this is not always the case.
3. Check the IPsec policy, and verify that it uses the IKE policy that you
configured for the client-to-site connection. Also verify that the traffic
selector is configured as follows:
Protocol = UDP
Local Address = the TMS zl Module’s reachable IP address (the same
one that is specified for the local gateway address in the IKE policy)
Local Port = 1701
Remote Address = Any
Remote Port = 1701