AppendixB. Troubleshooting
•Checkthat the (on the Logging Configuration page).
A call is established, but there is no voice
•Ifyou use a DMZ Telecommuting Module Type, check on the Surroundings page that you have separated the
clientsinto correct networks. Clients that can reach each other without using the Telecommuting Module should
bein the same Surroundings network, and clients that must use the Telecommuting Module to reach each other
shouldbe in different Surroundings networks.
•Ifyou use a DMZ or DMZ/LAN Telecommuting Module Type, check that the firewall connected to the
TelecommutingModule does not block the media. See chapter 14, Firewall and Client Configuration, for more
informationabout which ports should be opened in the firewall.
VPN troubleshootingNo IPsec tunnel established
•Checkthat VPN negotiation packets (UDP port 500) reach the Telecommuting Module. The other end could be
locatedbehind a NATing device which changes the sender port.
•Checkthat packets from the other end can reach the Telecommuting Module and vice versa. A failure to do so
couldindicate a faulty routing somewhere between the two VPN units or that some blocking device is located
betweenthem.
•Checkthat the VPN negotiation packets to the Telecommuting Module are addressed to the correct IP address
(theone selected on the IPsec Peers page.
•Ifpreshared secrets are used, check that both units share the same secret. If certificates are used, check that the
rightcertificates are used.
•Ifthe unit in the other end is no 3Com VCX IP Telecommuting Module, make sure that it uses PFS (Perfect
ForwardSecrecy). 3Com VCX IP Telecommuting Module always uses PFS.
•Ifthe unit in the other end is no 3Com VCX IP Telecommuting Module, make sure that it uses 3DES or AES.
3ComVCX IP Telecommuting Module accepts both encryption algorithms.
•Checkthat the networks to use the VPN tunnel are the same on both VPN units.
IPsec tunnel established, no traffic
•Checkthat the networks, between which the traffic should be sent, are allowed to use the IPsec tunnel.
•Checkthat there is a rule to let this traffic through. Check that the rule uses a proper network, service, IPsec peer
andtime class.
IPsec tunnel established, no traffic after some time
•Checkthat the key lifetime for the ISAKMP key is the same for both VPN units.
•Checkthat the key lifetime for the IPsec key is the same for both VPN units.
Administration troubleshootingThissection describes problems that can arise when administrating the Telecommuting Module.
The Telecommuting Module reverts to the old version when trying to
upgrade
•Checkthe release note for new error checks, which will make some part of your configuration invalid with the
newsoftware version.
128