TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

1191

10-93

Troubleshooting

Troubleshooting the TMS zl Module in Routing Mode

On the TMS zl Module, reset the shared secret as follows:

i. In the Web browser interface, select Network > Authentication >

RADIUS.

ii. Edit the RADIUS server entry and set the correct shared secret.

Troubleshoot Access Policies for a Client-to-Site L2TP over IPsec

VPN. If the VPN connection seems to be up but the remote client’s traffic

cannot reach its destination, a firewall access policy is probably to blame. The

TMS zl Module firewall processes outgoing VPN traffic before it is encapsu-

lated and encrypted. It processes incoming VPN traffic after it has been

deencapsulated and deencrypted. In other words, the access policies must

permit the inner IP traffic that is sent over the VPN.

These access policies should be configured for the user group that you

assigned to the users’ dial-in policies.

Note The TMS zl Module automatically accepts IPsec traffic for which it is the

gateway. You only need to create access policies for AH or ESP traffic when

an IPsec VPN is established through the module to a VPN gateway behind it.

See “Troubleshooting the Firewall” on page 10-39 for tips on troubleshooting

firewall access policies.

Keep in mind that access policies must permit any traffic that you want to send

over the tunnel. For example, you will probably want the remote endpoints to

initiate connections with local services. Therefore, you should create an

access policy with the local servers’ zone as the destination zone. The correct

source zone is always EXTERNAL. The correct IP addresses for the remote

endpoints are the virtual addresses that you configured in the users’ dial-in

policies.

If you can do so securely, try configuring access policies that allow all services

and see if the traffic can reach its destination. Enable logging on these access

policies. Check the module’s logs. It is possible that access policies permit

traffic correctly but there is another problem such as:

■ Another security device is dropping the traffic.

■ The L2TP dial-in user settings are incorrect. The setting for the remote

client’s default gateway (configured in the Step 3 of 3 window) must match

the server IP address (configured in the Step 1 of 3 window).

■ The remote client’s DNS server IP address might be misconfigured.

Once you get traffic flowing across the tunnel, you can experiment with more

restrictive access policies.