Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1161116211631164116511661167116811691170
10-62
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
2. Assign the switch port to the VLAN on which module receives traffic from
remote clients (this is also the forwarding VLAN in the route to these
clients).
For example, if the remote clients connect through the Internet, you
should assign the switch port to the VLAN on which the TMS zl Module
connects to the Internet router.
3. Assign the endpoint an IP address in the subnet associated with this VLAN
and configure the TMS zl Module as its default gateway.
4. On the test client, configure the same VPN settings that are used by your
remote users.
5. Attempt to initiate a VPN connection.
If the VPN connection comes up and the test client can successfully send
traffic across it, then you should look for problems such as these:
The TMS zl Module and the actual remote clients cannot reach each other.
Check the modules routes and verify that it has a route to the remote
clients (which may not be directly connected to a TMS VLAN as the test
client is).
The firewall access policies do not permit NAT-T traffic.
A device that is between the TMS zl Module and the remote clients may
perform NAT on the clients’ traffic, which can interfere with the VPN. The
module supports NAT-T to deal with this problem, but you must allow
NAT-T traffic through the firewall. Configure access policies that allow
the ipsec-nat-t-udp service between the remote clients and the TMS zl
Module.
If the test client experiences the same problem as the remote clients, you must
continue troubleshooting the connection as described in the sections that
follow.
View VPN Connections.
The first step in troubleshooting a VPN is determin-
ing where the connection fails. You can view VPN connections in the
VPN
>
Connections
>
VPN Connections
window of the TMS zl Modules Web browser
interface, as shown in Figure 10-13.
This window displays IKE SAs and IPsec VPN tunnels. The IKE SA is a
temporary tunnel that must be established before the IPsec tunnel can be
established. The IPsec tunnel is the connection over which users send
encrypted traffic.