TMS zl Management and Configuration Guide ST.1.1.100226
10-93
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
If the TMS zl Module was acting as an XAUTH client, look for these
problems:
– A misconfigured password
– A mismatch between the authentication protocol and the proto-
col on the remote gateway
– Problems with the remote gateway’s local database or RADIUS
server
c. After you make a configuration change, re-enable XAUTH in the IKE
policy and on the remote gateway.
d. Clear the IKE SA (and IPsec tunnel if present) and try to re-establish
the VPN.
e. Check the status of the VPN connection and determine your next step.
9. If the IKE policy specifies DSA Signature or RSA Signature for the
Authentication mode, you should troubleshoot certificates:
a. If possible, configure both ends of the VPN connection to use pre-
shared keys instead of certificates and set the same key on both
devices.
If the IKE SA still does not come up, change the authentication mode
back to its original setting.
b. If the IKE SA comes up, you know that certificates were causing the
problem. Look for these common errors:
– Certificates are not properly loaded on the TMS zl Module. The
module requires a CA certificate and an IPsec certificate.
If you cannot load the module’s IPsec certificate, verify that you
have already loaded the CA certificate for the CA that issued the
module’s certificate.
If you are using SCEP to retrieve certificates and a retrieved
certificate does not display in the Web browser interface, verify
that the module has the correct time. The module takes its time
from its host switch.
– The remote endpoint does not have a certificate, or the certificate
is not signed by the module’s CA.
– One or both of the certificates have expired.
– The module or remote gateway does not have the correct time,
so it cannot validate the peer’s certificate.
– The IKE local ID on the module (type and value) does not match
the subject name in its IPsec certificate.
– The IKE remote ID on the module (type and value) does not match
the subject name in the remote gateway’s certificate.
– The remote gateway’s local or remote IKE ID is misconfigured.