Nortel Secure Router 8000 Series Troubleshooting - VAS Release: Document Revision: 5.3 01.01 www.nortel.
Nortel Secure Router 8000 Series Release: 5.3 Publication: NN46240-709 Document status: Standard Document release date: 30 March 2009 Copyright © 2009 Nortel Networks All Rights Reserved. Printed in Canada, India, and the United States of America LEGAL NOTICE While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED.
Nortel Secure Router 8000 Series Troubleshooting - VAS Contents Contents About this document .......................................................................................................................1 1 AAA troubleshooting ................................................................................................................1-1 1.1 AAA overview.............................................................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Contents 2.2 Troubleshooting manual IPSec SA setup.....................................................................................................2-6 2.2.1 Typical networking............................................................................................................................2-6 2.2.2 Configuration notes ..........................................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Contents 4.1.1 NAT attributes ...................................................................................................................................4-2 4.1.2 NAT modes........................................................................................................................................4-3 4.1.3 Special protocols supported by the address translation .....................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Figures Figures Figure 1-1 RADIUS message structure ............................................................................................................1-2 Figure 1-2 Attribute format...............................................................................................................................1-3 Figure 1-3 Networking diagram of local authentication................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Figures Figure 4-1 NAT principles ................................................................................................................................4-2 Figure 4-2 NAPT working mode ......................................................................................................................4-3 Figure 4-3 NAT networking.................................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Contents Contents About this document .......................................................................................................................1 Issue 01.01 (30 March 2009) Nortel Networks Inc.
Nortel Secure Router 8000 Series Troubleshooting - VAS About this document About this document Overview This section describes the organization of this document, product version, intended audience, conventions, and update history. Related versions The following table lists the product versions related to this document.
Nortel Secure Router 8000 Series Troubleshooting - VAS About this document Chapter Description 2 IPSec and IKE troubleshooting This chapter describes troubleshooting procedures for IP Security (IPSec) and Internet Key Exchange (IKE), FAQs, and diagnostic tools. 3 Firewall Troubleshooting This chapter describes the troubleshooting procedure for Firewall, FAQs, and diagnostic tools.
Nortel Secure Router 8000 Series Troubleshooting - VAS About this document Command conventions Convention Description Boldface The keywords of a command line are in boldface. Italic Command arguments are in italics. [] Items (keywords or arguments) in square brackets [ ] are optional. { x | y | ... } Alternative items are grouped in braces and separated by vertical bars. You can select one item. [ x | y | ...
Nortel Secure Router 8000 Series Troubleshooting - VAS About this document Mouse operation Action Description Click Select and release the primary mouse button without moving the pointer. Double-click Press the primary mouse button twice quickly without moving the pointer. Drag Press and hold the primary mouse button and move the pointer to a new position. Update history Updates between document versions are cumulative.
Nortel Secure Router 8000 Series Troubleshooting - VAS Contents Contents 1 AAA troubleshooting ................................................................................................................1-1 1.1 AAA overview...............................................................................................................................................1-1 1.1.1 AAA, RADIUS, and HWTACACS......................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Figures Figures Figure 1-1 RADIUS message structure ..............................................................................................................1-2 Figure 1-2 Attribute format ................................................................................................................................1-3 Figure 1-3 Networking diagram of local authentication............................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting 1 AAA troubleshooting About this chapter The following table shows the contents of this chapter. Section Description 1.1 AAA overview This section describes the concepts you need to know before troubleshooting Authentication, Authorization, and Accounting (AAA). 1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting 1.1.1 AAA and RADIUS AAA Authentication, Authorization, and Accounting (AAA) contains the following three types of security services. z Authentication: specifies what type of user can access the network. z Authorization: specifies what type of service the user can use. z Accounting: records the network resource utilization of the user.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting Value Packet type Indication Description 1 Access-request Sending an authentication request NAS sends an authentication request to a RADIUS server. 2 Access-accept Accepting the authentication request A RADIUS server sends a response packet to accept the authentication request. 3 Access-request Rejecting the authentication request A RADIUS server sends a response packet to reject the authentication request.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting After receiving an AAA authentication or accounting message, the NAS enables server detection if the status of the server is Down. It then transforms the message into a packet and sends the packet to the current server. The NAS regards the server as normal only after receiving a response packet from the current server.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting z non-authentication z RADIUS authentication z HWTACACS authentication AAA also allows a random combination of the four modes. Configure the authentication mode in the authentication scheme view. By default, local authentication is used. Use non-authentication mode only as a last option. The authentication-mode radius local command uses the RADIUS authentication mode first.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting Configure the shared key on the RADIUS server template. The shared key should be the same as that on the server side. RADIUS supports a specified source address. You can configure the IP address of the specified loopback interface as the source address of RADIUS packets. You can then send the packets to a RADIUS server.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting 1.2.2 Configuration notes Item Sub-item Description Configuring serial Configure the IP address The IP address on the client side must be the same as that on the host side. interfaces on the client side Configure PAP user authentication The Password Authentication Protocol (PAP) user name and password configured on the client side must be consistent with those on the host side.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting # aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # Configure the local user and the domain. Configure a PAP user user001@nortel on the client side as the local user.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting 1.2.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting If PAP mode is not used, check that the PPP link is Up. # Configure the serial interface on the client side. [Nortel] interface Serial 4/0/0 [Nortel-Serial4/0/0] ip address 9.1.1.1 255.255.255.0 [Nortel-Serial4/0/0] quit # Configure the serial interface on the host side. [Nortel] interface Serial 1/1/0 [Nortel-Serial1/1/0] ip address 9.1.1.2 255.255.255.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting 1.3.1 Typical networking Figure 1-5 shows the networking of RADIUS authentication. Figure 1-5 Networking diagram of RADIUS authentication NAS ISDN/ PSDN Remote User RADIUS Server 1.3.2 Configuration notes Item Sub-item Description Configuring the RADIUS Configure the authentication server The IP address and port of the RADIUS authentication server are configured.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting Item Sub-item Description Configuring AAA Configure the authentication scheme The RADIUS authentication mode is used. Configure the accounting scheme The RADIUS authentication mode is used. Configure the domain nortel A domain named nortel is created and is associated with the authentication scheme, accounting scheme, and RADIUS server template in the domain. Enabling FTP server Enable the FTP server None.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting [Nortel-radius-rt_nortel] quit Configuring AAA z Create a RADIUS authentication scheme and a RADIUS accounting scheme. z Create a domain named nortel. z Configure the authentication scheme, the accounting scheme, and the RADIUS server template in the domain view.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting 1.3.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting 1.3.4 Troubleshooting procedure Step 1 Check that the RADIUS server displays logon records. In a normal situation, you can view the logon records by checking the display on the server.. When the user logs on to a RAIDUS server, the server records the user name and successful authentication. Otherwise, it records the faults and the possible causes.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting The preceding display indicates that the RADIUS authentication packet has been sent out. You must then check whether the response packet is received. If the following display prompts, the authentication server is not started. You then need to check the RADIUS authentication server. #Mar 12 01:49:08 2000 RT1 RDS/5/RDAUTHDOWN:RADIUS authentication server(IP 192.168.1.128) is down! Step 2 Check the RADIUS authentication server.
Nortel Secure Router 8000 Series Troubleshooting - VAS ID 1 AAA troubleshooting : 15 [Ftp-Directory ] [7 ] [hda1:] The preceding display indicates that the RADIUS server delivers the attribute of the FTP directory. The value of the attribute is hda1. If no such display appears, you need to configure the list of the delivered attributes for the user. If the fault persists, contact Nortel technical support. ----End 1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting z Check that the authentication port number is the same as that configured on the NAS and the RADIUS server template. z Check that the password configured on the RADIUS server is consistent with the shared key configured on the NAS. z Check that the attributes of the FTP directory are delivered. Then, check that user001 adds the delivered attributes.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting 1.5 FAQs Q: Nortel devices and non-Nortel devices use the same TACACS server but the authentication fails. Why? A: The user class range set by the third party is different from that set by Nortel. The user class range set by Nortel is from 0 to 3 and any value that exceeds 3 is incorrect, so the authentication fails. To remove this fault, configure users for the products of the third party and Nortel accordingly.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting z If all the domain address pools have no address to allocate, the NAS traverses from the global address pool. Q: What are the common RADIUS attributes? A: The following table describes the common RADIUS attributes. Value Attributes Field format Usage 1 User-name String (1 to 32) Configure the user name by using commands.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting Value Attributes Field format Usage 15 Login-Service Integer Indicates the logon user type, such as Telnet, Rlogin, TCP Cear, PortMaster (proprietary), and LAT. 18 Reply-Message String (1 to 128) z In the authentication acceptance packet, this indicates successful authentication. z In the authentication rejection packet, this indicates the failed authentication.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting Value Attributes Field format Usage 43 Acct-Output-Octets Integer Indicates the number of sent bytes, in bytes, Kbytes, Mbytes, or Gbytes. 44 Acct-Session-Id String The accounting access ID. 45 Acct-Authentic Integer The user authentication mode. z 1 indicates RADIUS authentication. z 2 indicates local authentication. 46 Acct-Session-Time Integer The online time of the user, in seconds.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting Command Description display domain Displays the domain. display radius-server configuration template Displays the RADIUS server template. display hwtacacs-server template Displays the HWTACACS server template.
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting display domain display domain nortel ------------------------------------------------------------------Domain-name : nortel Domain-state : Active Authentication-scheme-name : hwtacacs Accounting-scheme-name : hwtacacs Authorization-scheme-name User-CAR : hwtacacs : - Web-IP-address : - Next-hop : - Primary-DNS-IP-address : - Second-DNS-IP-address : - Primary-NBNS-IP-address : - Second-NBNS-IP-address
Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting Source-IP-address : 0.0.0.0 Shared-key : nortel Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : No Traffic-unit : B -------------------------------------------------------------------------- 1.6.2 Debugging commands Command Description debugging radius packet Debugs the RADIUS packet. debugging hwtacacs all Debugs the HWTACACS packet. Issue 01.01 (30 March 2009) Nortel Networks Inc.
Nortel Secure Router 8000 Series Troubleshooting - VAS Contents Contents 2 IPSec and IKE troubleshooting ...............................................................................................2-1 2.1 IPSec and IKE overview ...............................................................................................................................2-3 2.2 Troubleshooting manual IPSec SA setup ......................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Figures Figures Figure 2-1 Format of the transport mode packets...............................................................................................2-4 Figure 2-2 Format of the tunnel mode packets...................................................................................................2-4 Figure 2-3 Networking diagram of the manual IPSec SA setup.........................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 2 IPSec and IKE troubleshooting IPSec and IKE troubleshooting About this chapter The following table shows the contents of this chapter. Section Description 2.1 IPSec and IKE overview This section describes the concepts you need to know before troubleshooting IP Security (IPSec) and Internet Key Exchange (IKE). 2.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2-2 Section Description 2.8 FAQs This section lists frequently asked questions (FAQs) and their answers. 2.9 Diagnostic tools This section describes common diagnostic tools: display commands and debugging commands. Nortel Networks Inc. Issue 01.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.1 IPSec and IKE overview The IP Security (IPSec) protocol suite is a series of protocols defined by the Internet Engineering Task Force (IETF). It provides high-quality, interoperable, and cryptology-based security for IP packets. IPSec consists of two protocols: z Authentication Header (AH) protocol z Encapsulating Security Payload (ESP) protocol Internet Key Exchange (IKE) supports autonegotiation of keys.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting IPSec encapsulation modes The SA specifies the protocol encapsulation modes. IPSec has two encapsulation modes: z Transport mode: AH/ESP is inserted following the IP header but before all transport layer protocols or all other IPSec protocols. Figure 2-1 shows the format of transport mode packets. z Tunnel mode: AH/ESP is inserted before the original IP header but after the new IP header.
Nortel Secure Router 8000 Series Troubleshooting - VAS − − 2 IPSec and IKE troubleshooting Message Digest 5 (MD5) enters a message of any length and generates a 128-bit message summary. Secure Hash Algorithm (SHA-1) enters a message less than 264 bits and generates a 160-bit message summary. The SHA-1 summary is longer than that of MD5; therefore, using SHA-1 is safer than using MD5. z Encryption algorithms ESP can encrypt an IP packet to prevent disclosure of the packet contents during transmission.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting z Main mode: Isolates the shared key exchange from the authentication information to ensure the user’s identity. z Aggressive mode: Allows transmitting payloads related to the SA, shared key, and authentication. 2.2 Troubleshooting manual IPSec SA setup This section covers the following topics: z Typical networking z Configuration notes z Troubleshooting flowchart z Troubleshooting procedure 2.2.
Nortel Secure Router 8000 Series Troubleshooting - VAS Item Configuring the IPSec proposal Configuring the IPSec policy 2 IPSec and IKE troubleshooting Sub-item Description Configure the source and destination port specified in ACL rules Optional. Configure the other items in ACL rules Not required. Configure the number of ACL rules Configure only one rule. Configure the name of the IPSec proposal The name is a string of 1 to 15 characters.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Sub-item Description Configure the SPIs of SAs Configure SAs on inbound and outbound directions. Note the following: Configure the authentication shared keys for SAs z SA parameters on both ends should match. z The SPI on the local inbound direction should be the same as that on the outbound direction of the peer.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Sub-item Description Configuring the IPSec policy group application Configure the interface type and ID The Secure Router 8000 Series implements IPSec not only on physical interfaces, such as the serial interface and the Ethernet interface, but also on virtual interfaces, such as the tunnel interface and the virtual template interface. That is, IPSec is also applicable on the GRE or L2TP tunnel.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Configuring an IPSec policy # Configure the name of the IPSec policy to map1. In this policy, set the sequence number to 10 and the negotiation mode to manual; use the ACL and the IPSec proposal; and configure an IP address, SPI, and the shared key for the remote tunnel end.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.2.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.2.4 Troubleshooting procedure Step 1 Check whether two ends of the tunnel are reachable with no IPSec policy applied. Use the undo ipsec policy command on interfaces at the IPSec tunnel ends. On PC A, ping PC B. A failed ping indicates a faulty route or link between PC A and PC B. For information about removing the fault, see Nortel Secure Router 8000 Series Troubleshooting - IP Routing (NN46240-706).
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting IPsec Policy Group: "map1" Using local-address: {} Using interface: {Ethernet0/2/0} =========================================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: manual ----------------------------security data flow : 3101 tunnel local address: 202.38.163.1 tunnel remote address: 202.38.162.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting display ipsec sa policy map1 =============================== Interface: Ethernet0/2/0 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: manual ----------------------------encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Figure 2-5 Networking diagram of setting up ISAKMP IPSec Router A Pos1/0/1 202.38.163.1 Router B Internet Pos2/0/1 202.38.162.1 10.1.1. 1 10.1.2. 1 10.1.2. 2 10.1.1. 2 The networking environment is as follows: z Set up IPSec SA in IKE negotiation mode. z Create a security tunnel between Router A and Router B. z Provide security protection to the data flow between the two network segments 10.1.1.x and 10.1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Sub-item Description Configure the encryption algorithm DES or 3DES. Configure the local ID for IKE In the aggressive negotiation mode, if name is used as the local authentication type, configure the local ID. In the main mode, the local ID is not necessary. Configure the priority of the IKE proposal This is an integer from 1 to 100, indicating the priority of a specified IKE proposal.
Nortel Secure Router 8000 Series Troubleshooting - VAS Item 2 IPSec and IKE troubleshooting Sub-item Description Configure the IKE proposal ID In main mode, use the configured IKE proposal. In aggressive mode, use the default IKE proposal. Configure the local ID type Specify the IKE ID. This can be an IP address or the name of the IKE peer. In main mode, only the IP address can be the local ID. By default, the IP address is the IKE ID.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Sub-item Description Configure PFS PFS is enabled in IPSec negotiation. By default, PFS is disabled. Perform a PFS exchange in the IPSec negotiation. If you are specifying PFS on the local end, you need to enable PFS exchange when the peer initiates the negotiation; that is, in Phase 2, add an additional shared key exchange to ensure high security.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting [RouterA-ike-peer-routerb] remote-address 202.38.162.1 1. Configure an ACL. # Configure an ACL, specifying the data flow from 10.1.1.x to 10.1.2.x. [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 2. Configure an IPSec proposal. # Specify the name of the IPSec proposal as tran1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Figure 2-6 Troubleshooting flowchart of SA setup in Phase 1 Fail to set up SAs in Phase 1 Are IKE proposals on two ends the same? No Modify IKE proposal configurations.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Figure 2-7 Troubleshooting flowchart of SA setup in Phase 2 Fail to set up SAs in Phase 2 Succeed to set up SAs in Phase 1 Remove faults No based on the Phase 1 SA troubleshooting flow Yes End No Yes Are proposals on two ends consistent? The fault disappears? No Modify IKE proposal configurations The fault disappears? Yes End No Yes Are adopted ACLs on two ends mutual-mirroring? Yes No Modify ACLs The f
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Use the display ike sa command to view SAs in Phase 1. display ike sa connection-id peer VPN flag phase doi ---------------------------------------------------------14 202.38.162.1 RD|ST 1 IPSEC The display indicates that in Phase 1, the SA on the peer 202.38.162.1 has been set up. If no SA is displayed or the flag is not RD, it indicates that SA setup in Phase 1 fails.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting display ipsec sa policy map1 =============================== Interface: Ethernet4/2/0 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------connection id: 37 encapsulation mode: transport tunnel local : 202.38.163.1 tunnel remote: 202.38.162.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting dropped security packet detail: no enough memory: 0 can't find SA: 2 queue is full: 0 authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0 with secp,process packets failure statistics: m2cqueue full: 0 m2csend: 0 m2ctimer: 0 c2mid: 0 c2msequence: 0 secpprocess: 0 Yon can view the sent and received IPSec packets. Routers can classify lost packets based on packet loss causes.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Figure 2-8 Networking diagram of setting up SA using an IPSec policy template 202.38.163.1 GE1/0/1 Internet Router A 10.1.1.X Ethernet PC C PC A 10.1.1.2 The networking environment is as follows: z Set up an IPSec tunnel between Router A and PC C. The IP address of PC C is uncertain. z Set up an SA using an IPSec policy template on Router A. z Provide security protection to the data flow between PC A (at 10.1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Sub-item Description Configure the authentication mode Specify pre-shared key for the IKE proposal authentication mode. You need to configure the authenticator for pre-shared key. By default, the authentication mode is pre-shared key. Configuring the IKE peer Configure the authentication algorithm MD5 or SHA-1. Configure the encryption algorithm DES or 3DES.
Nortel Secure Router 8000 Series Troubleshooting - VAS Item Configuring the IPSec policy template 2 IPSec and IKE troubleshooting Sub-item Description Configure the peer name The name is a string of 1 to 15 characters. Enable NAT By default, NAT is disabled. Configure the name of the IPSec policy template The name is a string of 1 to 15 characters. If the local authentication mode is name, you need to specify the peer name. Policies with the same name are in a policy group.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Applying the IPSec policy group Sub-item Description Configure the sequence number of the IPSec policy The sequence number ranges from 1 to 10000. The lower the value, the higher the priority. Configure the negotiation mode Set up SAs in ISAKMP mode. Use the IPSec policy template Use the previously configured IPSec policy template.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Configuring an IPSec proposal # Configure the name of the IPSec proposal to tran1 and the encapsulation type to transport mode to save bandwidth. Configure the proposal to use the security protocol ESP, the algorithm SHA-1, and the encryption algorithm DES.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.4.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.4.4 Troubleshooting procedure Step 1 Check whether two ends of the tunnel are reachable with no IPSec policy applied. Use the undo ipsec policy command on the IPSec tunnel ends. Close the IPSec client on PC C. Ping PC A from PC C. A failed ping indicates a faulty route or link between PC A and PC C.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------security data flow : 3101 ike-peer name: routerc perfect forward secrecy: None proposal name: tran2 IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes ----------------------------IPsec policy name: "map1" sequence number: 100 mode: template ----------
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.5.1 Typical networking Figure 2-10 shows the networking diagram of NAT traversal in the IPSec tunnel. Figure 2-10 Networking diagram of IPSec NAT Router A Router B Eth1/0/1 202.38.163.1 Eth0/0/1 202.38.162.10 Internet Eth2/0/1 202.38.162.1 10.1.1.1 10.1.2.1 Firew allC 10.1.1.2 10.1.2.2 PC A PC B The networking environment is as follows: z A firewall (Firewall C) exists between Router A and Router B.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Sub-item Description Configure other items See the configuration notes for “Troubleshooting ISAKMP SA.” Configuring the local ID for IKE Configure the local ID for IKE You must configure a local ID for IKE because NAT traversal uses aggressive IKE negotiation and the local name is configured as the local authentication type.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Sub-item Description Applying the IPSec policy group — See the configuration notes for “Troubleshooting ISAKMP SA.” For configuring the external NAT network, see “Troubleshooting SA setup using an IPSec policy template.” The following table lists the notes and constraints. Item Sub-item Description Configuring the ACL — Configure the external NAT network using the template.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Sub-item Description Configure the IP addresses or address segments of the peer Configure the IP addresses or address segments for an IKE peer. If high-ip-address is not specified, configure only one IP address for an IKE peer. Here, the IP address of the peer must be a unique address because the IPSec policy template does not use the IKE peer.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting # Configure the host local ID in aggressive IKE negotiation mode. system-view [RouterA] ike local-name routera 2. Configure IKE proposals. By default, use the default IKE proposals. 3. Configure the IKE peer. # Configure the name of the IKE peer to routerb. Configure aggressive negotiation mode and set “name” as the local ID authentication type. Preset the shared key to nortel.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting [RouterA-Ethernet1/2/0] ipsec policy map1 Router B For information about configuring Router B, see the configuration notes for “Troubleshooting SA setup using an IPSec policy template.” 1. Configure the local ID for IKE. # Configure the local ID of the host in aggressive IKE negotiation mode. system-view [RouterB] ike local-name routerb 2. Configure IKE proposals.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting [RouterB-ipsec-policy-templet-maptemp-10] ike-peer routerb 7. Configure an IPSec policy. # Configure the name of the IPSec policy to map1, the sequence number to 100, and the negotiation mode to ISAKMP. Use the IPSec policy template maptemp. [RouterB] ipsec policy map1 100 isakmp template maptemp 8. Apply the IPSec policy group. # Apply the IPSec policy map1 on the Ethernet interface.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.5.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.5.4 Troubleshooting procedure Step 1 Check whether two ends of the tunnel are reachable with no IPSec policy applied. Use the undo ipsec policy command on both the ends of the IPSec tunnel. On PC A, ping PC B. A failed ping indicates a faulty link or route between PC A and PC B. For information about removing the fault, see Nortel Secure Router 8000 Series Troubleshooting - IP Routing (NN46240-706).
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Use the display ipsec proposal name command to view if the specified IPSec proposals on two ends are the same. display ipsec proposal name tran1 IPsec proposal name: tran1 encapsulation mode: tunnel transform: esp-new ESP protocol: authentication sha1-hmac-96, encryption des Use the preceding command on Router A and Router B to view the constraint conditions.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Figure 2-12 Networking diagram of configuring IPSec Router A Pos1/0/1 202.38.163.1 Internet IPSe IPSec c Pos2/0/1 202.38.162.1 Router B GRE 10.1.1.1 10.1.2.1 10.1.2.2 10.1.1.2 PC A PC B The networking environment is as follows: z Create a GRE tunnel between Router A and Router B. z Create an IPSec tunnel between Router A and Router B to protect packets forwarded through the GRE tunnel.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Item Sub-item Description Configure the number of ACL rules Configure only one ACL rule. Configure the name of the IPSec proposal The name is a string of 1 to 15 characters. Configure the encapsulation mode Transport mode or tunnel mode. Configure other items See “Troubleshooting ISAKMP SA.” Configuring the local ID for IKE — See “Troubleshooting ISAKMP SA”.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting [RouterA-Tunnel1/0/1] destination 202.38.162.1 Configuring IKE proposals If no IKE proposal is configured, the remote end uses default IKE proposals. Configuring the IKE peer # Configure the name of the IKE peer to routerb and use aggressive negotiation mode. Preset the shared key to nortel. Note that the shared keys configured on two ends must be consistent. Configure an IP address 202.38.162.1 for the remote end.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.6.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.6.4 Troubleshooting procedure Step 1 Check whether the tunnel is reachable with no IPSec policy applied. As shown in Figure 2-12, use the undo ipsec policy command to disable the IPSec policy on Router A and Router B. The packets are forwarded through the GRE tunnel. On PC A, ping PC B. If the ping succeeds, the route, the link, and the GRE tunnel between PC A and PC B are normal.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting 2.7 Troubleshooting cases Fault symptom Figure 2-14 shows a diagram of IPSec SA setup in ISAKMP mode. Figure 2-14 Networking diagram of IPSec setup Router A Pos1/0/1 202.38.163.1 Router B I nt er net Pos2/0/1 202.38.162.1 10.1.1.1 10.1.2.1 10.1.1.2 10.1.2.2 After Router A is restarted, the IPSec tunnel fails. Fault analysis z Use the debugging ipsec packet command on Router B.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Summary If the keep-alive function of ISAKMP SA is disabled, you must remove the related SA manually after the device is restarted. 2.8 FAQs Q: In an unstable network, SAs cannot be set up or SAs are set up but the communication between peers fails although the ACLs have matching security proposals. Why? A: The possible cause is that the router on one end restarts after SAs are set up.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting z The local and remote ACLs must be mutually mirrored. (When the IPSec policy template is used, this item can be ignored.) Q: Can AH and ESP be used at the same time? A: They can be used either separately or together. If they are used together, the user is authenticated twice. Nortel recommends that you do not use them at the same time.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Command Description display ipsec sa policy Displays the SA associated with the IPSec policy. display ipsec sa brief Displays brief information about the IPSec SA. display ike proposal Displays the IKE protocol. display ike peer name Displays the IKE peer. display ike sa Displays the IKE SA. display ipsec statistics Displays IPSec statistics.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Using local-address: {} Using interface: {Ethernet0/2/0} =========================================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: manual ----------------------------security data flow : 3101 tunnel local address: 202.38.163.1 tunnel remote address: 202.38.162.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting proposal name:tran1 The display indicates the proposal in the IPSec policy. You can use the proposal command to modify the configuration. inbound AH setting: AH spi: AH string-key: AH authentication hex key: The display indicates the SPI and the AH shared keys both in character strings and in hexadecimal numerals on the inbound of the manually set up SA .
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting Using local-address: {} Using interface: {Ethernet1/0/0} =========================================== ----------------------------IPsec policy name: " map2" sequence number: 10 mode: isakmp ----------------------------security data flow : 3102 ike-peer name: routerb perfect forward secrecy: None proposal name: tran2 IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobyte
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting You can use the ipsec sa global-duration time-based command to modify the global SA duration. IPsec sa local duration(traffic based): 1843200 kilobytes The display indicates the traffic-based SA duration. You can use the sa duration traffic-based command to modify the configuration. If no SA duration is configured in the policies, use the configured global traffic-based SA duration.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting The display indicates that the SPI on the inbound of SA is 54321, the protocol is ESP, the encryption algorithm is DES (ESP-ENCRYPT-DES), and the authentication algorithm is SHA-1 (ESP-AUTH-SHA1).
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting You can use the dh { group1 | group2 } command to modify the configuration. duration(seconds) This indicates the ISAKMP SA duration in IKE proposals. You can use the sa duration command to modify the configuration. To ensure secure communication in ISAKMP SA updates, set the duration to more than 10 minutes.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting nat traversal: disable The preceding configuration displays the status of NAT: enable or disable. You can use the nat traversal command to modify the configuration. display ike sa display ike sa connection-id peer VPN flag phase doi --------------------------------------------------------------------15 202.38.162.1 0 RD|ST 2 IPSEC 14 202.38.162.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting input/output security bytes: 4816/5600 input/output dropped security packets: 0/2 dropped security packet detail: no enough memory: 0 can't find SA: 2 queue is full: 0 authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0 input/output security packets: 56/56 The preceding display indicates the statistics of the number of input and output IPSec packets.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting The packets are sent from the interface that uses the IPSec policy group. The packets match the ACL used in policy map2-10, and the packets should be protected by IPSec. The corresponding SA, however, is performing IKE negotiation. The packets are then dropped. --- Send IPSec packet --Tunnel mode. Adding outer IP header succeed! Src: 202.38.163.1 Dst: 202.38.162.
Nortel Secure Router 8000 Series Troubleshooting - VAS 2 IPSec and IKE troubleshooting To remove this fault, you need to check whether ACLs on two ends are mutually mirroring. If not, modify them. got NOTIFY of type NO_PROPOSAL_CHOSEN or drop message from 202.38.162.1 due to notification type NO_PROPOSAL_CHOSEN The preceding display indicates that proposals on two negotiation ends do not match each other. Check whether: z There are IKE proposals matching each other in Phase 1 negotiation.
Nortel Secure Router 8000 Series Troubleshooting - VAS Contents Contents 3 Firewall troubleshooting ..........................................................................................................3-1 3.1 Firewall .........................................................................................................................................................3-2 3.2 Troubleshooting the firewall .................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Figures Figures Figure 3-1 Networking of the firewall................................................................................................................3-3 Figure 3-2 Diagnostic flowchart for faults on the firewall .................................................................................3-4 Issue 01.01 (30 March 2009) Nortel Networks Inc.
Nortel Secure Router 8000 Series Troubleshooting - VAS Tables Tables Table 3-1 Description of the output information of the display traffic policy command..................................3-7 Table 3-2 Description of the output information of the display traffic behavior command .............................3-8 Table 3-3 Description of the output information of the display traffic classifier command .............................
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting 3 Firewall troubleshooting About this chapter The following table lists the contents of this chapter. Section Describes 3.1 Firewall This section introduces the concepts that you need to know before troubleshooting the firewall. 3.
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting 3.1 Firewall The firewall of the Secure Router 8000 Series filters packets and performs Network Address Translation (NAT) on the basis of the Access Control List (ACL). This chapter describes troubleshooting of the packet filter firewall. For information about NAT troubleshooting, see Chapter 13, “NAT troubleshooting.” Concepts The process for filtering IP data packets is as follows: 1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting 3.2.1 Networking environment Figure 3-1 Networking of the firewall PC Ethernet2/0/0 10.1.1.5/24 SR8008 Server 202.1.2.3/24 Internet Ethernet ATM1/0/0 202.38.160.1/24 10.1.1.0/24 External Network Internal Network Based on the networking diagram, you can perform the following actions: z Use the Secure Router 8008 as the egress. z Connect the egress with the Internet through the interface ATM 1/0/0.
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting Figure 3-2 Diagnostic flowchart for faults on the firewall Firewall is invalid Is network connectivity normal? No Check the status of the interface and exclude the fualts at the link layer Yes Is the ACL rule correct? No Reconfigure the ACL rule No Reconfigure the traffic classification No Reconfigure the traffic behavior No Reconfigure the traffic policy Yes Is the traffic classification correct? Yes Is the t
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting 3.2.4 Troubleshooting procedures The troubleshooting procedures are as follows.
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting Checking that the traffic behavior is correct Run the display traffic behavior user-defined command in any view to check whether the traffic behavior and the proper firewall action are configured. Checking that the traffic policy is correct Run the display traffic policy command in any view to check whether the correct action is specified in the traffic classification.
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting Command Description display traffic policy interface [ { interface-type interface-number } [ inbound | outbound | dlci dlcinumber ] Displays all policies applied on the synchronous interfaces with FR (Frame Relay) as the link layer protocol. display this [Nortel-Ethernet2/0/0] display this # interface Ethernet2/0/0 traffic-policy mypolicy1 inbound # return Check that the policy is applied on the interface.
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting Main field Description Behavior The behavior associated with the class in the policy display traffic behavior user-defined [Nortel] display traffic behavior user-defined User Defined Behavior Information: Behavior: test Assured Forwarding: Bandwidth 30 (Kbps) Discard Method: Tail Queue Length : 64 (Packets) General Traffic Shape: CIR 30000 (bps), CBS 15000 (bit), EBS 0 (bit) Queue length 50 (Packets) Marking: Remark MPLS
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting Rule(s) : if-match acl 3001 Table 3-3 Description of the output information of the display traffic classifier command Main field Description User Defined Classifier Information Information about the traffic classification defined by the user Classifier The name of the traffic classification Operator The relationship of rules for matching the classes Rule(s) The matching rules display acl [Nortel] display acl 3001
Nortel Secure Router 8000 Series Troubleshooting - VAS 3 Firewall troubleshooting Table 3-4 Description of the output information of the display traffic policy interface command 3-10 Main field Description Direction The direction of the policy application Interface The interface on which the policy is applied Policy The name of the applied policy Classifier The class in the policy Behavior The behavior associated with the class in the policy Committed Access Rate The configured committed ac
Nortel Secure Router 8000 Series Troubleshooting - VAS Contents Contents 4 NAT troubleshooting ................................................................................................................4-1 4.1 NAT...............................................................................................................................................................4-2 4.1.1 NAT attributes.............................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Figures Figures Figure 4-1 NAT principles..................................................................................................................................4-2 Figure 4-2 NAPT working mode........................................................................................................................4-3 Figure 4-3 NAT networking ......................................................................................................
Nortel Secure Router 8000 Series Troubleshooting - VAS Tables Tables Table 4-1 Description of the output information of the display firewall servermap command......................4-13 Table 4-2 Description of the output information of the display firewall session statistic command..............4-15 Table 4-3 Description of the output information of the display firewall session table command...................4-15 Table 4-4 Description of the output information of the display nat inside-ip command .......
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting 4 NAT troubleshooting About This Chapter The following table lists the contents of this chapter. Section Describes 4.1 NAT This section describes the information you need to know before troubleshooting NAT. 4.2 Troubleshooting NAT Troubleshooting This section describes the notes about configuring NAT, and provides the NAT troubleshooting flowchart and the troubleshooting procedure in a typical NAT networking. 4.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting 4.1 NAT 4.1.1 NAT attributes Network Address Translation (NAT) allow hosts in a private network to share IP addresses for Internet access. With the rapid growth in Internet scales, the number of IPv4 addresses becomes insufficient. NAT is thus introduced to save IP addresses. Using NAT, multiple users can access the Internet through a small number of IPv4 addresses at the same time.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting 4.1.2 NAT modes NAT has two modes. In one mode, NAT replaces only the IP address of the packet as shown in Figure 4-1. In the other mode, NAT replaces both the IP address of the packet and the number of the interface as shown in Figure 4-2, which is called Network Address Port Translation (NAPT). NAPT can implement IP address sharing with high efficiency. Therefore, NAPT is the most commonly used mode of NAT.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting 4.2 Troubleshooting NAT Troubleshooting 4.2.1 Typical Networking NAT As shown in Figure 4-3, an enterprise is connected to the Wide Area Network (WAN) by using NAT of the Secure Router 8000 Series router. It is required that the enterprise network be connected to the Internet through the serial port 3/0/0 on the router and the enterprise network provide Web and FTP services to Internet users.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting Figure 4-4 Networking of the load balancing, flow control and BT speed control on the NAT server 10.110.10.1 WWW Server1 10.110.10.2 WWW Server2 10.110.10.3 WWW Server3 The internal Ethernet of the company Internal PC Internal PC 10.110.10.100 10.110.12.100 202.38.160.108/28 Eth1/0/0 SR8000 202.38.166.100/28 Eth1/0/1 Internet 1 External PC Internet 2 External PC 4.2.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting Item Description Configuring the limit on the number of connected users, the traffic, and the total amount of BT The maximum number of both users and source IP addresses is 7. 4.2.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting Figure 4-5 troubleshooting flowchart Configuring NAT fails Are physical status of interfaces Up? No No Is fault rectified? No Associate the address pool with ACLs Is fault rectified? No Yes Are ACL rules correctly configured? Configure routes from the internal network to external network No Yes Is the address pool associated with ACLs? Is fault rectified? No Yes Are there routes from the internal network to external
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting 4.2.4 Troubleshooting procedures The troubleshooting procedures are as follows: Step 1 Check that all interfaces are Up. Run the display this interface command in the interface view to check whether the physical and link status of each interface is Up. If an interface is Down, make the physical and link status of the interface go Up and ensure that the directly connected interfaces can be successfully pinged.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting 4.3 Troubleshooting cases 4.3.1 Internal Network Cannot Successfully Ping the External Network After NAT Is Configured on the Router Networking In the network shown in Figure 4-6, outbound NAT is configured; Router A is connected to the internal network; Router C is connected to the external network. It is required that NAT be configured on Router B to implement the communication between the internal network and external network.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting Step 6 Run the display ip routing-table command to check whether a static route to the address pool is configured on Ethernet 4/0/0. It is required that the next hop of the static route be interface Null0 and the mask of the Null0 route have the same length as that of the address pool. However, it is found that the lengths of the masks are different.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting A: You can configure a different public address of the NAT server from the public address of interfaces. If a user has only one public address, you can configure an address pool to allocate public addresses to internal users.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting Command Description Note display nat alg Displays information about the applied gateway. - display nat car-class Displays the speed control of NAT. - display nat car-bt Displays the speed control of NAT BT. - display nat connection-class Displays the traffic control of NAT. - display nat flow-control Displays information about the configured NAT traffic control.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting This output information is the aging time (in seconds) of the establishment of the session table. display firewall servermap display firewall servermap Nat leaf display successfully. Leaf Addr :0x02417564 BitConfig :0x00 DstIP :0x05010105(5.1.1.5) VpnID :0 Key Flag :0x00 Key Protocol/Pool ID :0 Key DstPort :0 Flag :0x8000 Server Inner IP :0x04010101(4.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting Item Description Flag The type of the servermap table 0x2000: specifies the temporary l servermap table 0x4000: specifies the servermap table actively established by the FTP server in the external network 0x4001: specifies the servermap table actively established by the FTP server in the internal network 0x8000: indicates that the NAT server is valid Server Inner IP The IP address of the internal server 1 of the NAT server
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting Table 4-2 Description of the output information of the display firewall session statistic command Item Description ICMP Session The number of ICMP sessions TCP Session The number of TCP sessions UDP Session The number of UDP sessions Frag Session Total Session The number of fragmentation sessions The total number of sessions display firewall session table display firewall session table source 4.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting display nat alg [Nortel] display nat alg NAT application level gateway information: netbios NAT application level gateway is enabled ils NAT application level gateway is enabled ftp NAT application level gateway is enabled icmp NAT application level gateway is enabled This output information shows whether packets of the types netbios, ils, ftp, and icmp are enabled for the NAT ALG.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting This output information displays the traffic control of NAT: z The ACL 2001 is used. z The class of the bandwidth is 2. z The class of the number of connections is 3. display nat inside-ip display nat inside-ip 4.1.1.1 Server in private network information: GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN Interface:Ethernet4/0/6 5.1.1.5 Total 2110 4.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN Interface:Ethernet4/0/6 5.1.1.5(5,3000) 2110 4.1.1.1 3211 6(tcp) (1) 5.1.1.5(5,3000) 2110 4.1.1.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting In addition: z Configure an internal server on the interface Ethernet3/0/0. z The internal address of the server is http:// 100.1.1.2 is 192.168.10.2. NAT supports the following application protocols: netbios, ils, ftp, icmp. 4.5.2 Debugging commands Command Description debugging nat-alg all Enables all debugging of the NAT ALG. debugging nat-alg information Enables the debugging information of the NAT ALG.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting *0.97096416 Nortel SEC/8/ASPF: [ASPF] Packet Information: SrcAddr =0x05010102(5.1.1.2) //the packet from the external network, the source IP is the IP of the external network DstAddr =0x05010105(5.1.1.5) //the packet from the external network, the destination IP is the IP of the public network configured by the NAT Server Proto =6 //the protocol number AppPro =0 PayloadLen =0 MoreFrag =0 *0.
Nortel Secure Router 8000 Series Troubleshooting - VAS 4 NAT troubleshooting Item Description NatSrvInIP The IP of the NAT server (5.1.1.5) NatSrvInPort The port of the NAT server (0) GlobalSrcIP The public network IP of the NAT server (5.1.1.5) AgingTime The aging time of the Servermap table (here 14s) Issue 01.01 (30 March 2009) Nortel Networks Inc.
Nortel Secure Router 8000 Series Troubleshooting - VAS Contents Contents Index ................................................................................................................................................ i-1 Issue 01.01 (30 March 2009) Nortel Networks Inc.
Nortel Secure Router 8000 Series Troubleshooting - VAS Index Index firewall, 3-6 NAT, 4-10 A AAA, 1-2 address pool, 1-4 authentication algorithm MD5, 2-5 SHA-1, 2-5 C concept firewall, 3-2 configuration note firewall, 3-3 NAT, 4-5 D debugging command AAA, 1-32 IPSec and IKE, 2-59 NAT, 4-19 diagnostic flowchart firewall, 3-3 NAT, 4-6 diagnostic tool AAA, 1-30 IPSec and IKE, 2-50 display command AAA, 1-30 firewall, 3-6 IPSec and IKE, 2-50 NAT, 4-11 domain, 1-4 E encryption algorithm 3DES, 2-5 DES, 2-5
Nortel Secure Router 8000 Series Troubleshooting - VAS Index authenticator, 1-3 code, 1-3 identifier, 1-3 length, 1-3 S SA, 2-3 schemes and modes accounting, 1-5 authentication, 1-5 authorization, 1-5 server template HWTACACS, 1-6 RADIUS, 1-6 T troubleshooting GRE over IPSec, 2-42 HWTACAS authentication, 1-17 IPSec SA setup, 2-6 ISAKMP SA, 2-14 L2TP over IPSec, 2-42 local user authentication, 1-6 NAT traversal in IPSec tunnel, 2-32 RADIUS authentication, 1-10 SA setup using IPSec Template, 2-24 trouble
Nortel Secure Router 8000 Series Troubleshooting - VAS Copyright © 2009 Nortel Networks All Rights Reserved. Printed in Canada, India, and the United States of America Release: 5.3 Publication: NN46240-709 Document status: Standard Document release date: 30 March 2009 To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback. www.nortel.