TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

1161

10-68

Troubleshooting

Troubleshooting the TMS zl Module in Routing Mode

If you make any corrections to the IKE policy, try to send VPN traffic from

the test device. Then re-evaluate. If you must continue troubleshooting,

leave any changes to the IKE policy that you are confident are corrections.

However, if you experiment with a change and the experiment does not

solve the problem, you should revert to your original settings.

8. In the previous step, you checked the general IKE policy. However, you

might need to do additional troubleshooting when the policy specifies

XAUTH.

a. Edit the IKE policy and disable XAUTH. (The setting is in the Edit IKE

Policy—Step 3 of 3 window.)

b. Also disable XAUTH on the test client. Attempt to establish the VPN

from the test client.

If the connection still does not come up, move to step 9 on page 10-68.

Note Leave XAUTH disabled in case both XAUTH and another setting are causing

the problem. You will re-enable XAUTH when you have finished troubleshoot-

ing the connection.

c. If the IKE SA now comes up, you know that XAUTH is causing

problems. Look for these problems:

– A misconfigured IP address for the module’s external RADIUS

server

– A mismatch between the password on the remote client and the

external RADIUS server or local user account

– A mismatch between the authentication protocol on the module

and the client

– An external RADIUS server that does not support the correct

authentication protocol

d. After you make a configuration change, re-enable XAUTH in both IKE

policies.

e. Clear the IKE SA (and IPsec tunnel if present) and try to re-establish

the VPN. Evaluate the VPN connection and take the appropriate next

step.

9. If the IKE policy specifies DSA Signature or RSA Signature for the

Authentication mode, you should troubleshoot certificates:

a. If possible, configure both ends of the VPN connection to use pre-

shared keys instead of certificates and set the same key on both

devices.

If the IKE SA still does not come up, change the authentication mode

back to its original setting. Move to step 10 on page 10-69.