Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1161116211631164116511661167116811691170
10-61
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
3. Copy the file from the server to your management station. Open the packet
trace file in a network protocol analyzer such as Wireshark to examine
the packet contents and trace the tunnel negotiation.
Note If the packet trace does not give enough detailed information, you can try
setting the VPN key exchange mode to aggressive (in both the module’s and
the client’s IKE policy). Aggressive mode transmits more data in plain text
than main mode does. This can make it easier to identify mismatches in the
configuration.
The sections for troubleshooting specific types of VPN connections contain
more information to help you interpret the capture messages.
Clear IKE SAs and IPsec Tunnels. During the course of troubleshooting,
you might need to clear IKE SAs or IPsec tunnels to force the connection to
re-establish itself with the new settings.
Clear IKE and IPsec SAs on the TMS zl Module.
Follow these steps to clear SAs from the module’s Web browser interface:
a. Select VPN > Connections > VPN Connections.
b. Click the Flush link next to the IKE SA or IPsec tunnel that you want
to clear.
Clear a VPN connection on the client.
If you are troubleshooting a client-to-site VPN, you might need to clear
the VPN connection from the client’s side.
For example, to clear the connection on an HP ProCurve VPN client, right-
click the ProCurve VPN icon in the system tray and select Disconnect >
<My Connection>. Alternately, right-click the ProCurve VPN icon and select
Reload Security Policy.
Troubleshooting a Client-to-Site IPsec VPN
The sections that follow outline a process and provide tips for troubleshooting
a client-to-site VPN that uses the IPsec protocol.
Set up a Test Client. As you troubleshoot the VPN, you must periodically
check various settings on the remote client and try to re-initiate the connec-
tion. It is a good idea to create a test client for this purpose:
1. Connect the endpoint to a port on the host switch.