3Com 11.1 manual Known Problems

Page 42

Known Problems 43

PPTP Tunnel Security Authentication problems may occur when connecting a Windows 95 or NT client Validation via a Total Control Hub to a NETBuilder II bridge/router where the Total Control

Hub is setting up a PPTP tunnel to the bridge/router.

This problem is a combination of the security protocol between the client and the LS (in this case the Total Control Hub) and the time it takes to validate a Radius request on the Radius server. In addition, the setting of the DefaultAptCtl parameter needs to be considered because this determines which security protocol the NETBuilder bridge/router will use.

If the client and the LS negotiate to use PAP, the client will send PAP configure requests but at that time the LS is busy setting up the PPTP tunnel and will forward the PAP requests to the NETBuilder bridge/router. The bridge/router by default sends CHAP challenge to the client and normally the client responds immediately. Then the NETBuilder bridge/router sends a request to the Radius server for validation.

If there is another PAP request from the client to the bridge/router while the bridge/router is waiting for validation from the Radius server, the bridge/router will send a PAP NAK to the client and the session is terminated. If the CHAP success message is received before the next PAP message, the PAP message is discarded and the connection is established.

Solutions include disabling CHAP on the NETBuilder DAC or disabling PAP between the client and the LS.

This situation does not arise when the NETBuilder bridge/router is using internal security because it is fast enough to check the CHAP response before the next PAP message is generated.

RAS Ports with Manual Tunnels configured with Manual Dial, and terminated as RAS ports at the central Dial Configured Tunnels site, will idle out inappropriately at the central site within the time specified by the DialIdleTimer when data is traversing the virtual port tunnel. You should configure

the DialIdleTimer on the RAS defined port to be zero, or configure DOD tunnels.

Remote Office RAS If you have a remote office dialing in to a central site router acting as a RAS server, Clients and Virtual Port and you wish to modify the port settings on the active virtual port connection, you Attributes must first hang up the active connection on your Remote Office bridge/router. Not doing so may result in a connection failure the next time you try to dial the virtual

port to establish a tunnel to your central office site.

SPID Wizard Detection If the two routers are connected to a single NT-1, SPID Wizard cannot detect the Errors correct switch type and corresponding SPIDs. To work around the problem,

disconnect one of the routers from the NT-1 before running SPID Wizard. Reconnect the router after SPID Wizard completes the detection process.

STP AutoMode Does Not When a NETBuilder II TI is connected over X.25 to a NETBuilder II bridge/router Select the Right Mode that has Ethernet or token ring, and the Ethernet is transparent bridging to other

routers over X.25 and the token ring interface requires source route bridging to the NETBuilder II TI, STP does not select the right mode when the default value is AutoMode. Set the STP value to SRTMode.

Image 42
Contents NETBuilder Family Software Version 11.1 Release Notes Santa Clara, California 3Com CorporationBayfront Plaza 95052-8145Contents Web Link Documentation Path Zmodem Time Out Known Problems Bcmfdinteg File Conversion ConsiderationsCPU Utilization Statistic Deleting ATM Neighbors Displaying Configuration Profiles Dynamic Paths Web Link Login SupportNAT Proxy ARP RouteDiscovery Sdhlc Half-Duplex Mode Limitations Accm Not ConfigurableConfiguring IPsec Authentication Header AHCONFiguration How IPsec Works PoliciesStatPollInterval Packages Netbuilder Software Version Release NotesEncryption Contact 3Com or your network supplierLists 3Comapproved vendors of the PC flash memory card New ProductsSupported PC Flash Memory Cards Approved 20 MB Flash Memory CardsApproved Dram New FeaturesVPN Features Layer Two Tunneling Protocol SIMMsDhcp Proxy Extensible Authentication ProtocolAdditional RAS Enhancements Encryption StrengthEncryption Key Virtual Circuit PrioritizationSummary of Encryption Strengths Algorithm Package ID LengthIP Version 6 Phase Firewall EnhancementsBGP-4 Enhancements Data Over Voice B-Channel Isdn Specification Ospf Not-So-Stubby-Area NssaFrame Relay PVC Q.933 Support Boundary Router Remote LAN Detection56/64K CSU/DSU External Loopback Features Ascii BootToken Ring in Fast Ethernet Tife NETBuilder Web Link ImprovementsFlash Load Upgrade Management Utilities and NETBuilder Upgrade LinkApplication Notes Placing a Data OverExample Toggle the respective paths. TypeNew Features Application Notes NETBuilder II Software Features SoftwareVersion 11.1 for the NETBuilder bridge/router platforms NETBuilder II Firmware Requirements Other FeaturesNETBuilder II Firmware Requirements IBM ProtocolsSuperStack II NETBuilder SI Software Features 438 458SuperStack II NETBuilder Ethernet and Token Ring Features Models Features Token RingMemory Requirements Model and Software Package 112 132 111 145 OfficeConnect NETBuilder Software FeaturesModels Features Token Ring WAN Protocols 131112 131 120 132 Additional OfficeConnect NETBuilder Models Software Features 117 137 116136 Memory Requirements Utilities for the HP-UX 10.x platforms Utilities for the Solaris 2.5 platformsRuuhp111.1 Ruuaix111.1NETBuilder Upgrade Management Utilities Known Issues Etc/passwd. You must add an entry can be ignoredDLSw PROfile ServiceBridge Static Routes SVCsDialog boxes will be fully visible without scrolling Token Ring a non-source routed frameSupported Synchronous Modem Ports in DCE ModeSupported Asynchronous Modems ModemsHistory, the PPP link does not come up IBM-Related Feature Settings for Token Ring Ports Token Ring Frame Copy Errors Frame Copy Errors under LAN Net Manager3Com Bridge/Routers and Supported Features Known Problems Interrupt the boot cycle and enter monitor mode This systemValue SHow !profileID -PROFILE CONFiguration Notation Known Problems ADD !v1 -PPP ARU user, password Limitations Front-End Processor/Frame Relay Relay port is Access for LLC2 TrafficNumber of TCP Connections IBM Boundary RoutingPort running PPP SpeedMultilink PPP Snmp ManagementStations for Appn Service Point Source-RouteSdlc Adjacent Link Source RouteUsing Netbuilder Family Software Update PagesConfiguring IPsec Configuring IpsecProcedures in this section describe how to configure IPsec Replace with this chapterCreating a Security Policy Creating an Encryption PolicyOn bridge/router, 2 enter On bridge/router 2, enterFor example, to create a new encryption key set, enter Manual key information, useTo disable Ipsec on port 1, enter Confidentiality and data integrityCreate a route between the two tunnel endpoints by entering Enable Layer 2 Tunnelling by enteringAssign an IP address to the tunnel virtual port by entering Configure an Ipsec policy/security association by enteringCreate a route between two tunnel endpoints by entering Enable Layer 2 Tunnelling Pptp by enteringHow IPsec Works Intercepted and viewedHow IPsec Works Configuring Ipsec Reference for Netbuilder Family Ipsec Service Parameters and Commands Ipsec Service ParametersCONFiguration CONTrolKeySet ManualKeyInfo ManualPOLicyBe all or ALL Is assigned dynamically using Ipcp or DhcpPolicyname Name you assign to the policy you are adding Srcipaddr/maskSpecifies Cipher Block Chaining mode of the Data Encrypt phases, and the second 8 bytes for the decryptPhase of the encrypt-decrypt-encrypt 239.255.255.254Ipsec Service Parameters Rsvp Service Parameters RESerVation MaxFlowRateREQuest UDPEndcapSR Service Parameters AllRoutesPlace this page in front of Chapter ROUte ROUte SR Service Parameters SYS Service Parameters SYS Service Parameters Weblink Service Parameters StatPollIntervalWeblink Service Parameters