Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1191119211931194119511961197119811991200
10-96
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
IKE SA but no IPsec tunnel
If you see an IKE SA, click the Check status link. If the status indicates
“SA_Mature,” the IKE SA is fully established. However, the IPsec tunnel
has not come up; the connection has failed partway through the process.
In this case, begin by troubleshooting IPsec settings. (See “Troubleshoot
IPsec Settings for a Client-to-Site IPsec VPN” on page 10-70.)
If the IKE SA status is different from “SA_Mature,” IKE phase 1 has not
completed. (See “Troubleshoot IKE for a Client-to-Site IPsec Connection”
on page 10-63.)
IPsec tunnel
If you see an IPsec tunnel between the module and the remote gateway,
the connection is up and should carry traffic. If you are not able to send
traffic over the VPN, troubleshoot firewall access policies and verify that
they permit the proper traffic. (See “Access Policies for Site-to-Site VPNs”
on page 10-107.)
Troubleshoot IKE for a Site-to-Site VPN. If the IKE SA fails to establish,
try the troubleshooting tips in this section.
It is best practice to try one tip at a time, attempting to establish the VPN after
each attempt. Then, re-evaluate the connection:
If you can successfully send traffic over the connection, you can stop
troubleshooting.
If the IPsec tunnel comes up but traffic cannot reach its destination,
continue with “Access Policies for Site-to-Site VPNs” on page 10-107.
If the IKE SA comes up but the IPsec tunnel fails, continue with “Trouble-
shoot IPsec Settings for a Site-to-Site VPN” on page 10-105.
If the IKE SA does not come up, continue to the next tip.
If you enter the capture command from the CLI, you can identify the problem
more precisely using Table 10-17.