TMS zl Management and Configuration Guide ST.1.1.100430
10-104
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
c. After you make a configuration change, re-enable XAUTH in the IKE
policy and on the remote gateway.
d. Clear the IKE SA (and IPsec tunnel if present) and try to re-establish
the VPN.
e. Check the status of the VPN connection and determine your next step.
9. If the IKE policy specifies DSA Signature or RSA Signature for the
Authentication mode, you should troubleshoot certificates:
a. If possible, configure both ends of the VPN connection to use pre-
shared keys instead of certificates and set the same key on both
devices.
If the IKE SA still does not come up, change the authentication mode
back to its original setting.
b. If the IKE SA comes up, you know that certificates were causing the
problem. Look for these common errors:
– Certificates are not properly loaded on the TMS zl Module. The
module requires a CA certificate and an IPsec certificate.
If you cannot load the module’s IPsec certificate, verify that you
have already loaded the CA certificate for the CA that issued the
module’s certificate.
If you are using SCEP to retrieve certificates and a retrieved
certificate does not display in the Web browser interface, verify
that the module has the correct time. The module takes its time
from its host switch.
– The remote endpoint does not have a certificate, or the certificate
is not signed by the module’s CA.
– One or both of the certificates have expired.
– The module or remote gateway does not have the correct time,
so it cannot validate the peer’s certificate.
– The IKE local ID on the module (type and value) does not match
the subject name in its IPsec certificate.
– The IKE remote ID on the module (type and value) does not match
the subject name in the remote gateway’s certificate.
– The remote gateway’s local or remote IKE ID is misconfigured.
c. After you have found and corrected the error, change the IKE policy
Authentication mode setting back its original setting.
d. Clear the IPsec tunnel and IKE SA and try to establish the VPN.
e. Check the status of the VPN connection and determine your next step.