TMS zl Management and Configuration Guide ST.1.1.100430
10-70
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN. This sec-
tion includes tips for troubleshooting IPsec settings.
It is best practice to clear the IKE SA and attempt to establish the VPN
connection from the test client after making each change. Then re-evaluate
the connection:
■ If the traffic can reach its destination, you can stop troubleshooting.
■ If the traffic cannot reach its destination, but the IPsec tunnel comes up,
move to “Troubleshoot Access Policies for a Client-to-Site IPsec VPN” on
page 10-72.
■ If the traffic cannot reach its destination, but the IPsec tunnel comes up,
move to “Troubleshoot IPsec Settings for a Client-to-Site IPsec VPN” on
page 10-70.
■ If the IPsec tunnel does not come up, continue with the next tip.
When you enter the capture command in the CLI and view the output, you can
use Table 10-9 to pinpoint the problem.
Table 10-9. IKE capture Messages
Example capture Messages Problem
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 R ident
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 R ident
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 I ident[E]
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 R ident[E]
IP tms1.isakmp > tms2.isakmp: isakmp: phase 2/others I oakley-quick[E]
IP tms1.isakmp > tms2.isakmp: isakmp: phase 2/others I oakley-quick[E]
The traffic selector is
incorrect (see step 1 on
page 10-71).
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 R ident
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 R ident
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1 I ident[E]
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1 R ident[E]
IP tms1.isakmp > tms2.isakmp: isakmp: phase 2/others I oakley-quick[E]
IP tms2.isakmp > tms1.isakmp: isakmp: phase 2/others R inf[E]
The IPsec security settings
do not match (see step 2 on
page 10-71).