TMS zl Management and Configuration Guide ST.1.2.100916
10-66
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
Note When you create new access policies, enable logging on them for the
purposes of troubleshooting.
Your access policies might specify particular IP addresses for remote
endpoints. If so, create temporary access policies that permit IKE and
NAT-T traffic to and from any IP address. Assign these access policies the
top priority. If the IKE SA is established, your original access policies are
misconfigured. Check these policies for miskeyed IP addresses or mis-
configured address objects. Also verify that the original access policies
were to and from the correct zone.
After you resolve the misconfiguration, delete any temporary firewall
policies. Clear the IKE SA and verify that the reconfigured policies con-
tinue to work. If so, re-evaluate the VPN connection and take the appro-
priate next steps (if any).
2. Check routes in the Network > Routing > Static Routes window and verify
that the correct ones are in place.
To complete IKE, the TMS zl Module must have the correct routes to the
remote endpoints. Often, when endpoints are reached through the Inter-
net, this route is the module’s default route, but this is not always the case.
3. Check the IPsec policy, and verify that it uses the IKE policy that you
configured for the client-to-site connection.
4. Check all of your IKE policies and verify that a different policy than the
one that you expect does not match your policy.
Note that IKE policies remain active even when there are no active IPsec
policies associated with them.
5. Check the local gateway address in the IKE policy. Verify that this address
matches the module IP address that clients contact.
6. Check the IKE policies on the TMS zl Module and the remote client. Ensure
that both specify the same key exchange mode (main or aggressive).