TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

1151

10-77

Troubleshooting

Troubleshooting the TMS zl Module in Routing Mode

8. If the IKE policy specifies DSA Signature or RSA Signature for the Authen-

tication mode, you should troubleshoot certificates:

a. If possible, configure both ends of the VPN connection to use pre-

shared keys instead of certificates and configure the same key on both

devices.

If the IKE SA still does not come up, change the authentication mode

back to its original setting. The problem may be on the other side of

the connection.

b. If the IKE SA comes up, you know that certificates were causing the

problem. Look for these common errors:

– Certificates are not properly loaded on the TMS zl Module. The

module requires a CA certificate and an IPsec certificate.

If you cannot load the module’s IPsec certificate, verify that you

have already loaded the CA certificate for the CA that issued the

module’s certificate.

If you are using SCEP to retrieve certificates and a retrieved

certificate does not display in the Web browser interface, verify

that the module has the correct time. The module takes its time

from its host switch.

– The remote client does not have a certificate, or the certificate is

not signed by the module’s CA.

– One or both of the certificates have expired.

– The module or remote client does not have the correct time, so it

cannot validate the peer’s certificate. (The module takes its time

from its host switch.)

– The IKE local ID on the module (type and value) does not match

the subject name in its IPsec certificate.

– The IKE remote ID on the module (type and value) does not match

the subject name in the remote client’s certificate.

– Similarly, the remote client’s local or remote IKE ID could be

misconfigured.

c. After you find and correct the error, change the Authentication mode

setting in the IKE policy back its original setting.

d. Clear the IPsec tunnel and IKE SA and try to establish the VPN.

Evaluate the success.

9. At this point, at least the IKE SA should be up. Attempt to send traffic

across the VPN tunnel from the test client. Evaluate whether you must

continue troubleshooting.