Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1201120212031204120512061207120812091210
10-79
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
You might also try configuring access policies that permit this traffic to
and from each zone and the Self zone (in case you have mistaken the
remote clients’ zone).
Note When you create new access policies, enable logging on them for the purposes
of troubleshooting.
Your access policies might already permit the proper traffic but specify
particular IP addresses for remote endpoints. If so, try creating temporary
access policies that permit IKE, NAT-T, and L2TP traffic to and from any
IP address. If the IKE SA is established, your original access policies were
misconfigured. Check these policies for miskeyed IP addresses or mis-
configured address objects. Also verify that the original access policies
were to and from the correct zone.
After you resolve the misconfiguration, delete any temporary firewall
policies. Clear the IKE SA and verify that the reconfigured policies con-
tinue to work. If so, re-evaluate the VPN connection and take the appro-
priate next steps (if any).
2. Check routes in the Network > Routing > Static Routes window and verify
that the correct ones are in place.
To complete IKE, the TMS zl Module must have the correct routes to the
remote endpoints. Often, when endpoints are reached through the Inter-
net, this route is the module’s default route, but this is not always the case.
3. Check the IPsec policy, and verify that it uses the IKE policy that you
configured for the client-to-site connection. Also verify that the traffic
selector is configured as follows:
Protocol = UDP
Local Address = the TMS zl Module’s reachable IP address (the same
one that is specified for the local gateway address in the IKE policy)
Local Port = 1701
Remote Address = Any
Remote Port = 1701
Note Check all network objects used in IPsec policies and verify that they are up-
to-date and accurate.
4. Check the local gateway address in the IKE policy. Verify that this address
is the module IP address that the clients contact.