TMS zl Management and Configuration Guide ST.1.2.100916
10-71
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
If you do not want to enter the capture command and view the output, try these
tips in this order. (Use the Web browser interface to check these settings.)
1. Check the IPsec traffic selector, which is configured in the IPsec policy:
The protocol, local addresses, and local ports (if configured) must match
exactly the protocol, addresses, and ports configured for the remote
network on the remote client.
The module’s remote addresses, on the other hand, must match the
addresses configured for the IKE mode config pool within this IPsec
policy.
Note If you cannot find the misconfiguration, check all network and service objects
used in IPsec policies and verify that they are up-to-date and accurate.
Caution As you make any changes to the traffic selector, verify that the selector does
not match management traffic (traffic from your management station to the
TMS zl Module). If it does, you will lock yourself out of the module.
In addition, the local address must not include the local gateway address.
If necessary, create Bypass IPsec policies to exclude module IP addresses
from the VPN. See “Configure Bypass and Deny IPsec Policies” on page 7-354
and Chapter 7: “Virtual Private Networks.”
2. Check the IPsec security settings.
To establish the IPsec tunnel, the TMS zl Module and the remote clients
must agree on a number of settings. Table 10-10 displays those settings
and how they should match up between the module and the remote
device. Note that some settings are configured in the IPsec proposal and
some are configured in the IPsec policy. The table also indicates where
the setting is configured.