TMS zl Management and Configuration Guide ST.1.1.100226

10-98

Troubleshooting

Troubleshooting the TMS zl Module in Routing Mode

Attempt to send traffic to a remote endpoint from the local test device:

■ If the traffic cannot reach its destination, you must troubleshoot the GRE

tunnel (see “Troubleshoot the GRE Tunnel” on page 10-98).

■ If the traffic can reach its destination, the GRE tunnel is functioning

correctly. Re-enable the IPsec policy. You must troubleshoot IKE and

IPsec. Refer to the instructions for troubleshooting a site-to-site VPN:

• “Troubleshoot IKE for a Site-to-Site VPN” on page 10-85

• “Troubleshoot IPsec Settings for a Site-to-Site VPN” on page 10-94

Troubleshoot the GRE Tunnel. If the GRE tunnel fails, try the trouble-

shooting tips listed in this section.

It is best practice to try one tip at a time, attempting to send traffic across the

tunnel after each change. If the attempt fails, continue with the next tip. If, on

the other hand, the attempt is successful, you must re-enable the IPsec policy

and once again attempt to send your traffic:

■ If you can successfully send traffic over the connection, you can stop

troubleshooting.

■ If the attempt fails, refer to the instructions for troubleshooting a site-to-

site VPN:

• “Troubleshoot IKE for a Site-to-Site VPN” on page 10-85

• “Troubleshoot IPsec Settings for a Site-to-Site VPN” on page 10-94

1. Verify that the firewall access policies allow the following traffic:

• Traffic between local and remote endpoints (which initiate the GRE

tunnel)

The correct zone for the remote endpoints is the Firewall Zone

Association configured in the GRE tunnel settings.

• GRE traffic between the TMS zl Module and the remote gateway

The access policies should specify the module’s and the remote

gateway’s actual IP addresses (not the addresses for the tunnel

interface).