TMS zl Management and Configuration Guide ST.1.2.100916
10-87
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
Troubleshoot L2TP Authentication to a Remote RADIUS Server. If
the VPN > Connections > VPN Connections window on the TMS zl Module shows
that the IPsec tunnel is up but the VPN connection on the remote client still
fails, the L2TP connection is failing. (Sometimes the IPsec tunnel is deleted
soon after the L2TP connection fails. Therefore, you should also check the
TMS zl Module log messages for a message about a successful establishment
of the IPsec SA.)
You will need to troubleshoot authentication to the remote RADIUS server
(the previous section describes troubleshooting authentication to the TMS zl
Module).
You will need to examine your RADIUS server for error messages as a part of
the troubleshooting process. Windows IAS will be used as an example in the
process described below (adjust as necessary for the RADIUS server that you
are using).
1. Examine the log messages on your RADIUS server. For example, on a
Windows Server 2003 that runs IAS, open the Event Viewer (which can be
accessed from Administrative Tools). Then select System and look for
messages from IAS.
2. If you do not see any logs for received RADIUS requests for your test L2TP
user, the RADIUS settings on the TMS zl Module might be wrong:
a. In the TMS zl Module Web browser interface, select Network > Authen-
tication > RADIUS.
b. You should see an entry for the RADIUS server that authenticates the
L2TP users. Edit the entry and look for errors such as these:
– Incorrect IP address
– Incorrect port—The TMS zl Module always sends requests on
port 1812. On IAS, check this port as follows:
i. Open IAS from the Administrative Tools.
ii. Right-click Internet Authentication Service and select Properties.
iii. Click the Port tab.
c. If the RADIUS settings are correct, verify that the messages can reach
the RADIUS server. Check for a route to the RADIUS server’s subnet.
Also verify that firewall access policies permit RADIUS messages
between the TMS zl Module (Self zone) and the RADIUS server. Often,
it is a good idea to place the RADIUS server in a management zone.
d. Another possible problem is that the L2TP client only supports MS-
CHAPv2 authentication, and the TMS zl Module rejects the setting.
For instructions on setting up the default L2TP client on a Windows
XP machine, including changing this setting, see “Configure a Win-
dows XP SP2 Client for L2TP over IPsec” on page 7-398.