TMS zl Management and Configuration Guide ST.1.2.100916
10-77
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
■ If the IPsec tunnel comes up on the TMS zl Module but the VPN connection
on the test client does not, continue with “Troubleshoot L2TP Local
Settings” on page 10-84.
■ If the IKE SA comes up but the IPsec tunnel does not, continue with
“Troubleshoot IPsec Settings for a Client-to-Site L2TP over IPsec VPN” on
page 10-83.
■ If the IKE SA does not come up, continue to the next tip.
If you enter the capture command and view the IKE messages, you can use
Table 10-11 to identify the problem.
Table 10-11. IKE capture Messages
If you do not want to activate the capture command, try these tips in order:
1. Verify that the firewall access policies allow IKE and L2TP.
Ensure that the access policies permit the following traffic between the
TMS zl Module and the remote clients:
•IKE
• NAT-T (in case an intervening NAT device translates the clients’ or the
module’s IP address)
• L2TP traffic
Example capture Messages Problem Begin Troubleshooting At:
No messages The module is not receiving or accepting
the remote client’s IKE messages.
Step 1 on page 10-77
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1
I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1
R inf
The module and the remote client’s IKE
security settings do not match.
Step 7 on page 10-80
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1
I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1
R ident
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1
I ident
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1
R ident
IP tms1.isakmp > tms2.isakmp: isakmp: phase 1
I ident[E]
IP tms2.isakmp > tms1.isakmp: isakmp: phase 1
R ident[E]
IP tms1.isakmp > tms2.isakmp: isakmp: phase
2/others I inf[E]
IKE authentication fails:
• The local or remote ID are incorrect.
• The preshared key is miskeyed.
• Certificates are misconfigured (see
step 8 on page 10-82).
Step 7 on page 10-80