7 troubleshooting cases, Fault symptom, Fault analysis – Panasonic 8000 User Manual

2 IPSec and IKE troubleshooting

Nortel Secure Router 8000 Series

_________ Troubleshooting - VAS

2.7 Troubleshooting cases

Fault symptom

Figure 2-14 shows a diagram of IPSec SA setup in ISAKMP mode.

Figure 2-14 Networking diagram of IPSec setup

Router A

Pos1/0/1

^^202.38.163.1

10.1.1.1

10.1.1.2

Router B

Pos2/0/1

202.38.162.1^^^

10.1.2.1

10.1.2.2

9

«

After Router A is restarted, the IPSec tunnel fails.

Fault analysis

•

Use the debugging ipsec packet command on Router B. IPSec packets sent from Router
B to Router A can be encapsulated.

•

Use the debugging ipsec packet command on Router A. Packet decapsulation on Router
A fails.

•

Use the display ipsec sa command on Router A and Router B. You cannot find the SA on
Router A.

The cause for this fault may be that the default timeout period for the ISAKMP SA to wait for
Keep Alive packets is not configured. After Router A is restarted, Router B is not notified to
remove the corresponding SA. Router B continues to use the previous SA.

Enable the keep-alive function of ISAKMP SA to remove this fault. If the SA duration
exceeds the keep-alive value, remove SAs on both ends and reinitiate a negotiation.

Troubleshooting procedure

Step 1 Use the reset ipsec sa command or the reset ike sa command in the system view to remove

the corresponding SA from Router B.

Step 2 Use the ike sa keepalive-timer interval

second

command in the system views of Router A

and Router B to specify the interval at which Keep Alive packets are sent.

Step 3 Use the ike sa keepalive-timer timeout

seconds

command in the system views of Router A

and Router B to specify the timeout period for waiting for Keep Alive packets sent from the
peer of ISAKMP SA.

Step 4 Save the configuration.

After completing the previous steps, the IPSec tunnel can operate normally.

--- End

2-48

Nortel Networks Inc.

Issue 01.01 (30 March 2009)