Manuals / Nortel Networks / Computer Equipment / Network Router

Nortel Networks NN46110-602 manual File format, Security features

Models: NN46110-602

1 230

Download 230 pages 7.59 Kb

Page 105

Chapter 5 Packet capture 105

•limit the traffic that the filters capture

•automatically start and stop packet capture with triggers

Note: The VPN Router does not provide tools for opening and viewing captured data. You must offload the PCAP files to view them.

Security features

Packet capture on the VPN Router provides the following features to enhance security:

•Packet capture is disabled by default. You can enable packet capture using the CLI through the serial port only.

•To enable packet capture, you must configure a separate capture password.

•When you save a capture buffer to a file on disk, the file is encrypted. You must enter the capture password to decrypt PCAP files.

•To open a capture file, you use a tool called openpcap that is shipped with VPN Router software. The tool is built for both 128-bit and 56-bit versions and uses the same cryptographic library that the server code uses. The openpcap tool prompts you for a password.

•Packet capture configuration is not saved in LDAP or in the configuration file. When you reboot the VPN Router, the packet capture configuration is lost.

File format

Packets are stored in PCAP/TCPDUMP file format. Many tools recognize this file format. Packets are saved with the following additional information:

•timestamp of the packet

•length of the portion of the packet present in the PCAP file

•length of the entire packet as it was received or sent on the wire

Nortel VPN Router Troubleshooting

Image 105

Nortel Networks NN46110-602 manual File format, Security features

Contents

Nortel VPN Router Troubleshooting Trademarks Copyright 2007 Nortel Networks. All rights reservedRestricted rights legend Statement of conditionsNortel Networks Inc. software license agreement Nortel VPN Router TroubleshootingGeneral Contents Chapter Status and logging Chapter Troubleshooting Chapter Packet capture Appendix a MIB support Appendix B Using serial PPP Index Contents NN46110-602 Figures Figures NN46110-602 Tables Tables NN46110-602 Text conventions Before you beginItalic text Acronyms L2TP Related publications Finding the latest updates on the Nortel Web site Hard-copy technical manuals How to get helpGetting help from the Nortel Web site Getting help over the phone from a Nortel Solutions CenterGetting help through a Nortel distributor or reseller New in this release FeaturesAutomatic backups Pcap enhancementsSnmp interface index enhancement Administrator settings Chapter VPN Router administrationVPN Router administration Tools Dynamic passwordFile management System configurationSimple Network Management Protocol Snmp VPN Router administration Admin Snmp Traps window Click Enable for User IP Address PoolTo configure the amount Chapter Status and logging Reports SessionsSystem Health checkStatistics Accounting records AccountingData collection task Radius accountingTimestamp Event log LogsEvent logs Select Status Event LogCapture and display filters Configure Display Entity Security log System logConfiguration log Shutdown Chapter Administrative tasksRecovery Accessing the diskette driveUsing the recovery diskette Recovery Diskette window Software/backup/v101/SN01001 Administrative tasks Automatic backups Transferring backup files through Sftp Using the GUI for automatic backupTriggering a backup when a file or directory changes Select Admin Auto BackupAutomatic Backup window appears. Figure Click Configure Specific Backup To overwrite a file, click Overwrite files at destination Specific Automatic Backup windowUsing the CLI for automatic backup Stopping the backup of specific files and directories Backing up specific files and directoriesBacking up changes to specific files or directories Stopping the transfer of backup files using Sftp Using Sftp to transfer backup filesDisabling new logins Select Admin Shutdown Click Disable new logins. FigureUpgrading the software Checking available disk space Select Admin File SystemCreating a control tunnel to upgrade from a remote location Creating a recovery diskette Select Admin Recovery and click Create DisketteBacking up system files Retrieving the new software Select Admin UpgradesFTP menu example Internal Radius Accounting Interim Radius Accounting Record Before completing the upgradeAfter you upgrade the software Select Admin Shutdown and deselect Disable new loginsApplying the software Administrative tasks Chapter Troubleshooting Client-based tools Troubleshooting toolsOther tools System-based toolsDiagnosing client connectivity problems Solving connectivity problemsCommon client connectivity problems Authentication failed Login not allowed at this timeRemote host not responding Maximum number of sessions reachedOther IPsec errors No proposal chosenExtranet connection lost Problems with name resolution using DNS services Cannot browse the network with NetBEUI Network browsing problemsTroubleshooting Diagnosing WAN link problems Check the T1/V.35 interface Check the PPP layer Check the Hdlc framingPerformance tips for configuring Microsoft networking Solving performance problemsEliminating modem errors Hardware encryption accelerator connectivityWhat should be configured on the Pptp or IPsec client? What Wins settings are recommended? Why should Wins settings be different for extranet access?What can you try on the Wins server when it is not working? Can I control which machine is the master browser? Why are subnet masks important? What should I do about subnets? Why cant I browse another client in a different tunnel? Troubleshooting Additional information Web browser problems and the VPN Client Manager Solving general problemsLong delays when Web browsing Enabling Web browser optionsImproving performance with Internet Explorer Clearing your Web browser cache when upgrading Web browser error messagesInternal error message Clearing cacheExcess resource consumption using Internet Explorer New administrator login ignoredDocument not found message Internet Explorer 4.0 multiple help windowsSystem problems Reporting a problem with a Web browserPower failure Distorted background imagesSelect Servers Ldap Click Stop Server Group and user profile settings not savedClient address redistribution problems Solving routing problemsAn error occurred while parsing the policy Solving firewall problemsAn error occurred while communicating with the VPN Router Action Close the Stateful Firewall ManagerAuthorization failed. Please try again Contents of the database may have changedUnable to communicate with the VPN Router System files were not loaded properly ActionDeselect Cache JARs in Memory Troubleshooting NN46110-602 Chapter Packet capture Pcap features File format Security featuresCapture types Physical interface capturesTunnel captures Global IP captures Filters and triggers Capture filtersTriggers Memory considerations Saving captured dataPerformance considerations Enabling packet capture on a VPN Router Serial main menu appears Enter Privileged Exec modeCapturing packets to disk file Setting the Pcap file pathSetting the size of the RAM buffer Setting the size of a disk capture fileSetting the maximum number of disk capture files Configuring and running packet capture objects Saving captured dataCreating a capture object Configuring a capture object CES#capture ether0 Tunnel capture parameters Starting, stopping, and saving capture objects Using the show capture command to display capture statusCES# show capture Sample packet capture configurations Interface capture object using a filter and directionExit Capture Configuration mode CES#show capture test-filter-in Interface capture object using triggersCES#capture test-trigger start CES#show capture test-trigger Capture state Stopped by stop Tunnel capture object using a remote IP addressInstalling Ethereal software Viewing a packet capture output file on a PCLocate the Microsoft Windows row and click local archive Saving, downloading, and viewing Pcap files Click ethereal-setup-n.nn.n.exeGlobal IP capture Viewing a Pcap file with Sniffer ProClick Tools Options Protocol Forcing Deleting capture objects and disabling packet captureCES# no capture test-trigger Packet capture NN46110-602 Novell IPX MIB Snmp RFC supportNovell RIP-SAP MIB RFC 1850-OSPF Version 2 Management Information BaseRFC 1724-RIP Version 2 MIB Extension RFC 1213-Network Management of TCP/IP-Based InternetsRFC 2667-IP Tunnel MIB RFC 2737-Entity MIB RFC 2787-VRRP MIBRFC 2233-If MIB RFC 1573-IanaIfType MIBRFC 2571-Snmp-Framework MIB RFC2790-Host Resources MIBRFC2495-DS1 MIB VPN Router MIB RFC2863 Interface MIB 64 bit counters supportTRAP-TYPE Cestraps.mib-Nortel proprietary MIBVariables Newoak.mib Hardware-related traps Appendix a MIB support Appendix a MIB support Appendix a MIB support Server-related traps Appendix a MIB support Software-related traps Login-related trapsSystem-related traps Intrusion-related trapsInformation passed with every trap Provides trap categories and explanations Provides descriptions for the VPN Router traps Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions Attached Failed Please note that X corresponds to Is not reachable and at least one Appendix a MIB support Appendix a MIB support VPN Router traps MIB descriptions IfReasonForStatus-ces-reason for the change in status Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Establishing a serial PPP connection Appendix B Using serial PPPDouble-click the Microsoft Dial-Up Networking icon Setting up a Dial-Up Networking connectionSetting up the VPN Router Setting up the modemSelect System Settings Appendix B Using serial PPP Dialing in to the VPN Router Troubleshooting Serial PPPCause ActionsAction PPP option settings Appendix B Using serial PPP NN46110-602 Error removing CA certificate file Installed new CA certificate from fileCertificate messages TCert X.509 certificates disabled in flash memory TCert Shutdown completeTCert task creation failed Isakmp 13 No proposal chosen in message from xxx a.b.c.d Isakmp messagesIsakmp 13 Authentication failure in message from xxx a.b.c.d No response from client-logging out Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging outBranch office messages Couldnt install route for remxxx@xxxChecking chain invalid parent cert SSL messagesChecking chain invalid child cert Child cert xxx not valid signature by xxxDatabase messages Configuration file xxx does not existNo matching trusted CA certs Failed to startSecurity messages Ldif file could not restoreAccount xxxxxx uid xxx not found in account AuthServer ldap inconsistent no server type in entryConn backlog reached, possible SYN attack Security store new system IP address xxx failed-xxxSecurity store new system name xxx failed-xxx Error copying subentries of xxx to Error copying entry xxx toError copying tree xxx to Security store new system subnet mask xxx failed-xxxError deleting tree Error deleting entrySchemaCls Database schema not available LocalAuthServer failed remove-xxxSession xxxxxx invalid uid-authentication failed Session xxx uid invalid-authentication failedXxx xxx being referenced by Session xxxxxx session rejected-system is initializingSession xxxxxxxxx AddLink failed xxx current links Session xxxxxxxxx xxx auth method not allowedSession xxxxxxxxx account is disabled Session xxxxxxxxx L2TP host xxx account misconfiguredSession xxxxxxxxx IP address assignment failed Session xxxxxxxxx account has max linksSession xxxxxxxxx authentication failed using Session xxxxxxxxx account not allowed nowSession xxxxxxxxx connect Qos level xxx full Disable logins after restart checkbox is selected Session xxxxxxxxx login rejected new logins disabledSession xxxxxxxxx no memory free xxx threshold Session xxxxxxxxx only one session/static address allowedSession xxxxxxxxx session directed to use server Session xxxxxxxxx pool address xxx already in useSession xxxxxxxxx static address xxx already in use Session xxxxxxxxx system has max sessionsRadius accounting messages Radius no reply from server server-nameport numberRadius server-name server timed out Radius server-name server failed Indicated packet length too largeNon-matching ID in server response Received bad attribute type from server Unsupported response type number received from serverResponse OK Radius user-name accounting record sent to server-name OKRadius authentication messages Login failure due to Server network connection failureRadius no reply from Radius server server-nameport number Radius server-name server timed out authenticating user-name Non-matching id in server response Radius access challenge received Radius server returned access challengeRadius server rejected access Radius server-name sent challenge for user-nameRadius user-name access OK by server server-name Radius user-name access Denied by server server-nameOspf Disabled Routing messagesOspf Enabled Closing OSPF-RTM connectionOpened OSPF-RTM connection LoadOspfAreas Failed Can not accept x.x.x.x as router idLoadOspfIntf Failed VR xxx Starting xxx as Master forVR xxx Starting xxx as Backup for VR xxx Starting xxx as master delayed Backup forVR xxx Shutting down xxx on RIP xxx RIP Enabled Unable to get configuration for VRRIP xxx RIP Disabled RIP xxx Cant alloc main nodeRIP xxx Unable to register with UDP RIP xxx Circuit xxx deletedRIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failed RIP xxx bind RIP socket xxx failedRIP xxx cid xxx mismatched auth password from RIP xxx Unable to spawn timer task xxx for RIPInterface nnn not present, deleting from config Interface nnn replaced, resetting configHWAccel nnn not present, deleting from config Interface nnn replaced, deleting from configAppendix C System messages NN46110-602 Configuring the Cisco 2514 router, Version Appendix D Configuring for interoperabilityVPN Router and Cisco 2514 network topology NN46110-602 Following is a show config command Configuring the VPN Router for Cisco interoperability Appendix D Configuring for interoperability Mask Connecting to IRE SafeNET/Soft-PK Security Policy ClientClick Pre-Shared Key 10.42SafeNet/Soft-PK Security Policy Editor dialog box appears Encapsulation Protocol ESP Configuring the VPN Router for IRE interoperabilitySA Life Seconds and 3000 Seconds Go to Profiles Networks and click EditThird-party client installation Considerations for using third-party clients Appendix D Configuring for interoperability Configuring the VPN Router as a branch office tunnel Set Perfect Forward Secrecy PFS to match the client side Configuring the VPN Router as a user tunnelTo configure the VPN Router as a user tunnel Configuring IPX IPX client Sample IPX VPN Router topology IPX group configurationWindows 95 and Windows Windows NTIPX topology Nortel VPN Router Troubleshooting Appendix D Configuring for interoperability NN46110-602 Index Index Pptp Wins