4 troubleshooting procedure, 4 troubleshooting procedure -47, Troubleshooting procedure – Panasonic 8000 User Manual
Page 94
Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".
Nortel Secure Router 8000 Series
Troubleshooting - VAS__________
2 IPSec and IKE troubleshooting
2.6.4 Troubleshooting procedure
Step 1 Check whether the tunnel is reachable with no IPSec policy applied.
As shown in Figure 2-12, use the undo ipsec policy command to disable the IPSec policy on
Router A and Router B. The packets are forwarded through the GRE tunnel.
On PC A, ping PC B.
If the ping succeeds, the route, the link, and the GRE tunnel between PC A and PC B are
normal. The fault may be caused by the IPSec configuration. Proceed to Step 2.
If the ping fails, modify the configuration so the packets from PC A to PC B do not pass the
GRE tunnel.
•
If the ping still fails after the modification, it indicates that a fault occurs on the route or
the link between PC A and PC B is incorrect.
•
If the ping succeeds and the GRE tunnel is unused after the modification, the fault is
caused by an incorrectly configured GRE tunnel. For information about removing the
fault, see the section about GRE troubleshooting
in Nortel Secure Router 8000 Series
Troubleshooting - VPN
(NN46240-710).
Step 2 Check whether SAs are set up in Phase 1 and Phase 2.
See the troubleshooting procedure for “Troubleshooting ISAKMP SA.”
If SAs are configured in Phase 1 and Phase 2, continue with the following steps.
Step 3 Check IPSec policies.
Check the following:
•
whether GRE tunnel ends are loopback interfaces or whether they are configured with
loopback addresses (GRE over IPSec does not support loopback interfaces)
•
whether the source and destination IP addresses specified in the ACL agree with the
addresses of GRE tunnel ends
•
whether the IPSec policy group is applied on interfaces where GRE tunnel ends are
located
For details, see the troubleshooting procedure for “Troubleshooting ISAKMP SA.”
If the IPSec policies are correct, continue with the following steps.
Step 4 Check whether IPSec can encapsulate or decapsulate packets.
Use the debugging ipsec packet command to view whether IPSec can encapsulate and
decapsulate packets based on SAs.
You can also use the display ipsec statistics command to view IPSec statistics. For details,
see the troubleshooting procedure “Troubleshooting ISAKMP SA.”
If the fault persists, contact Nortel technical support.
----End
Issue 01.01 (30 March 2009)
Nortel Networks Inc.
2-47