Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1221122212231224122512261227122812291230
10-106
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
The local addresses on the local module do not match the remote
addresses on the remote module, and vice versa. The modules do not
consider the addresses to match even though the Any setting includes
the necessary addresses within it.
•The Local port setting on the local module does not match the Remote
port setting on the remote gateway. The local module permits only
FTP traffic from the remote endpoints, but the remote gateway per-
mits the remote endpoints to send any type of traffic.
Note Note that the correct traffic selector in the IPsec policy for a GRE over IPsec
tunnel is:
Protocol = (47) GRE under IP Protocols
Local Address = IP address that you configured as the local IP address for
the tunnel (not the tunnel interface IP address)
Remote Address = actual IP address of the remote tunnel endpoint (not the
tunnel interface IP address)
Look for similar misconfigurations in your traffic selector. (Remember to
check any address objects used in the traffic selector). If necessary, make
changes.
Caution As you make any changes to the traffic selector, verify that the selector does
not match management traffic (traffic from your management station to the
TMS zl Module). If it does, you will lock yourself out of the module.
In addition, the local address must not include the local gateway address.
If necessary, create bypass IPsec policies to exclude module IP addresses from
the VPN. See “Configure Bypass and Deny IPsec Policies” on page 7-354 and
Chapter 7: “Virtual Private Networks.”
2. Check the IPsec security settings.
To establish the IPsec tunnel, the TMS zl Module and the remote gateway
must agree on a number of settings. Table 10-19 displays those settings
and how they should match up between the module and the remote
device. Note that some settings are configured in the IPsec proposal and
some are configured in the IPsec policy. The table also indicates where
the setting is configured.