Manuals / Nortel Networks / Computer Equipment / Network Router

Nortel Networks NN46110-602 manual Isakmp messages

Models: NN46110-602

1 230

Download 230 pages 7.59 Kb

Page 175

Appendix C System messages 175

2Manually verify the tunnel-related certificate fingerprints. Perform this procedure any time you suspect tampering.

ISAKMP messages

ISAKMP [13] No proposal chosen in message from xxx (a.b.c.d)

In many cases, a Session:IPsec message precedes the ISAKMP message. If the Session:IPsec message indicates an error, then the Session message describes the cause and required action. If there is no Session:IPsec error message, see the following list of causes and solutions for explanations.

Description: The encryption types proposed by branch office xxx do not match the encryption types configured locally.

Action: Check the encryption types on both sides to make sure they match. If necessary, reconfigure the encryption on one system.

Description: The requested authentication method (for example, RSA* Digital Signature) is not enabled.

Action: Enable all required authentication types. Make sure the unneeded types are disabled.

Description: One side of the connection is configured to support dynamic routing while the other side is configured for static routing, where branch office is xxx.

Action: Configure both sides to use the same routing type.

Description: Both sides are configured to support static routing. However, the local and remote network definitions of the two sides do not match, where branch office is xxx.

Action: Configure both sides to have matching local and remote network definitions.

Description: The Perfect Forward Secrecy (PFS) setting of the two sides do not match. Branch office xxx does not have PFS enabled, while PFS is required by the local settings.

Nortel VPN Router Troubleshooting

Image 175

Nortel Networks NN46110-602 manual Isakmp messages, Isakmp 13 No proposal chosen in message from xxx a.b.c.d

Contents

Nortel VPN Router Troubleshooting Statement of conditions Copyright 2007 Nortel Networks. All rights reservedTrademarks Restricted rights legendNortel Networks Inc. software license agreement Nortel VPN Router TroubleshootingGeneral Contents Chapter Status and logging Chapter Troubleshooting Chapter Packet capture Appendix a MIB support Appendix B Using serial PPP Index Contents NN46110-602 Figures Figures NN46110-602 Tables Tables NN46110-602 Text conventions Before you beginItalic text Acronyms L2TP Related publications Finding the latest updates on the Nortel Web site Hard-copy technical manuals How to get helpGetting help from the Nortel Web site Getting help over the phone from a Nortel Solutions CenterGetting help through a Nortel distributor or reseller New in this release FeaturesPcap enhancements Automatic backupsSnmp interface index enhancement Administrator settings Chapter VPN Router administrationVPN Router administration Tools Dynamic passwordFile management System configurationSimple Network Management Protocol Snmp VPN Router administration Admin Snmp Traps window Click Enable for User IP Address PoolTo configure the amount Chapter Status and logging Reports SessionsHealth check SystemStatistics Accounting records AccountingData collection task Radius accountingTimestamp Event log LogsEvent logs Select Status Event LogCapture and display filters Configure Display Entity Security log System logConfiguration log Shutdown Chapter Administrative tasksAccessing the diskette drive RecoveryUsing the recovery diskette Recovery Diskette window Software/backup/v101/SN01001 Administrative tasks Automatic backups Select Admin Auto Backup Using the GUI for automatic backupTransferring backup files through Sftp Triggering a backup when a file or directory changesAutomatic Backup window appears. Figure Click Configure Specific Backup To overwrite a file, click Overwrite files at destination Specific Automatic Backup windowUsing the CLI for automatic backup Backing up specific files and directories Stopping the backup of specific files and directoriesBacking up changes to specific files or directories Stopping the transfer of backup files using Sftp Using Sftp to transfer backup filesSelect Admin Shutdown Click Disable new logins. Figure Disabling new loginsUpgrading the software Checking available disk space Select Admin File SystemCreating a control tunnel to upgrade from a remote location Select Admin Recovery and click Create Diskette Creating a recovery disketteBacking up system files Retrieving the new software Select Admin UpgradesFTP menu example Internal Radius Accounting Interim Radius Accounting Record Before completing the upgradeSelect Admin Shutdown and deselect Disable new logins After you upgrade the softwareApplying the software Administrative tasks Chapter Troubleshooting Client-based tools Troubleshooting toolsOther tools System-based toolsDiagnosing client connectivity problems Solving connectivity problemsCommon client connectivity problems Maximum number of sessions reached Login not allowed at this timeAuthentication failed Remote host not respondingNo proposal chosen Other IPsec errorsExtranet connection lost Problems with name resolution using DNS services Cannot browse the network with NetBEUI Network browsing problemsTroubleshooting Diagnosing WAN link problems Check the T1/V.35 interface Check the PPP layer Check the Hdlc framingHardware encryption accelerator connectivity Solving performance problemsPerformance tips for configuring Microsoft networking Eliminating modem errorsWhat should be configured on the Pptp or IPsec client? What Wins settings are recommended? Why should Wins settings be different for extranet access?What can you try on the Wins server when it is not working? Can I control which machine is the master browser? Why are subnet masks important? What should I do about subnets? Why cant I browse another client in a different tunnel? Troubleshooting Additional information Web browser problems and the VPN Client Manager Solving general problemsEnabling Web browser options Long delays when Web browsingImproving performance with Internet Explorer Clearing cache Web browser error messagesClearing your Web browser cache when upgrading Internal error messageInternet Explorer 4.0 multiple help windows New administrator login ignoredExcess resource consumption using Internet Explorer Document not found messageDistorted background images Reporting a problem with a Web browserSystem problems Power failureSelect Servers Ldap Click Stop Server Group and user profile settings not savedClient address redistribution problems Solving routing problemsAction Close the Stateful Firewall Manager Solving firewall problemsAn error occurred while parsing the policy An error occurred while communicating with the VPN RouterContents of the database may have changed Authorization failed. Please try againUnable to communicate with the VPN Router Action System files were not loaded properlyDeselect Cache JARs in Memory Troubleshooting NN46110-602 Chapter Packet capture Pcap features File format Security featuresPhysical interface captures Capture typesTunnel captures Global IP captures Capture filters Filters and triggersTriggers Memory considerations Saving captured dataPerformance considerations Enabling packet capture on a VPN Router Serial main menu appears Enter Privileged Exec modeCapturing packets to disk file Setting the Pcap file pathSetting the size of a disk capture file Setting the size of the RAM bufferSetting the maximum number of disk capture files Saving captured data Configuring and running packet capture objectsCreating a capture object Configuring a capture object CES#capture ether0 Tunnel capture parameters Starting, stopping, and saving capture objects Using the show capture command to display capture statusCES# show capture Interface capture object using a filter and direction Sample packet capture configurationsExit Capture Configuration mode CES#show capture test-filter-in Interface capture object using triggersCES#capture test-trigger start CES#show capture test-trigger Capture state Stopped by stop Tunnel capture object using a remote IP addressViewing a packet capture output file on a PC Installing Ethereal softwareLocate the Microsoft Windows row and click local archive Saving, downloading, and viewing Pcap files Click ethereal-setup-n.nn.n.exeGlobal IP capture Viewing a Pcap file with Sniffer ProClick Tools Options Protocol Forcing Deleting capture objects and disabling packet captureCES# no capture test-trigger Packet capture NN46110-602 RFC 1850-OSPF Version 2 Management Information Base Snmp RFC supportNovell IPX MIB Novell RIP-SAP MIBRFC 1213-Network Management of TCP/IP-Based Internets RFC 1724-RIP Version 2 MIB ExtensionRFC 2667-IP Tunnel MIB RFC 2737-Entity MIB RFC 2787-VRRP MIBRFC2790-Host Resources MIB RFC 1573-IanaIfType MIBRFC 2233-If MIB RFC 2571-Snmp-Framework MIBRFC2495-DS1 MIB VPN Router MIB RFC2863 Interface MIB 64 bit counters supportTRAP-TYPE Cestraps.mib-Nortel proprietary MIBVariables Newoak.mib Hardware-related traps Appendix a MIB support Appendix a MIB support Appendix a MIB support Server-related traps Appendix a MIB support Software-related traps Login-related trapsSystem-related traps Intrusion-related trapsInformation passed with every trap Provides trap categories and explanations Provides descriptions for the VPN Router traps Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions Attached Failed Please note that X corresponds to Is not reachable and at least one Appendix a MIB support Appendix a MIB support VPN Router traps MIB descriptions IfReasonForStatus-ces-reason for the change in status Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Establishing a serial PPP connection Appendix B Using serial PPPDouble-click the Microsoft Dial-Up Networking icon Setting up a Dial-Up Networking connectionSetting up the modem Setting up the VPN RouterSelect System Settings Appendix B Using serial PPP Actions Troubleshooting Serial PPPDialing in to the VPN Router CauseAction PPP option settings Appendix B Using serial PPP NN46110-602 Installed new CA certificate from file Error removing CA certificate fileCertificate messages TCert Shutdown complete TCert X.509 certificates disabled in flash memoryTCert task creation failed Isakmp 13 No proposal chosen in message from xxx a.b.c.d Isakmp messagesIsakmp 13 Authentication failure in message from xxx a.b.c.d No response from client-logging out Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging outBranch office messages Couldnt install route for remxxx@xxxChild cert xxx not valid signature by xxx SSL messagesChecking chain invalid parent cert Checking chain invalid child certFailed to start Configuration file xxx does not existDatabase messages No matching trusted CA certsAuthServer ldap inconsistent no server type in entry Ldif file could not restoreSecurity messages Account xxxxxx uid xxx not found in accountSecurity store new system IP address xxx failed-xxx Conn backlog reached, possible SYN attackSecurity store new system name xxx failed-xxx Security store new system subnet mask xxx failed-xxx Error copying entry xxx toError copying subentries of xxx to Error copying tree xxx toLocalAuthServer failed remove-xxx Error deleting entryError deleting tree SchemaCls Database schema not availableSession xxxxxx session rejected-system is initializing Session xxx uid invalid-authentication failedSession xxxxxx invalid uid-authentication failed Xxx xxx being referenced bySession xxxxxxxxx AddLink failed xxx current links Session xxxxxxxxx xxx auth method not allowedSession xxxxxxxxx account has max links Session xxxxxxxxx L2TP host xxx account misconfiguredSession xxxxxxxxx account is disabled Session xxxxxxxxx IP address assignment failedSession xxxxxxxxx account not allowed now Session xxxxxxxxx authentication failed usingSession xxxxxxxxx connect Qos level xxx full Session xxxxxxxxx only one session/static address allowed Session xxxxxxxxx login rejected new logins disabledDisable logins after restart checkbox is selected Session xxxxxxxxx no memory free xxx thresholdSession xxxxxxxxx system has max sessions Session xxxxxxxxx pool address xxx already in useSession xxxxxxxxx session directed to use server Session xxxxxxxxx static address xxx already in useRadius no reply from server server-nameport number Radius accounting messagesRadius server-name server timed out Indicated packet length too large Radius server-name server failedNon-matching ID in server response Radius user-name accounting record sent to server-name OK Unsupported response type number received from serverReceived bad attribute type from server Response OKLogin failure due to Server network connection failure Radius authentication messagesRadius no reply from Radius server server-nameport number Radius server-name server timed out authenticating user-name Non-matching id in server response Radius server-name sent challenge for user-name Radius server returned access challengeRadius access challenge received Radius server rejected accessRouting messages Radius user-name access Denied by server server-nameRadius user-name access OK by server server-name Ospf DisabledClosing OSPF-RTM connection Ospf EnabledOpened OSPF-RTM connection VR xxx Starting xxx as Master for Can not accept x.x.x.x as router idLoadOspfAreas Failed LoadOspfIntf FailedVR xxx Starting xxx as master delayed Backup for VR xxx Starting xxx as Backup forVR xxx Shutting down xxx on RIP xxx Cant alloc main node Unable to get configuration for VRRIP xxx RIP Enabled RIP xxx RIP DisabledRIP xxx bind RIP socket xxx failed RIP xxx Circuit xxx deletedRIP xxx Unable to register with UDP RIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failedInterface nnn replaced, resetting config RIP xxx Unable to spawn timer task xxx for RIPRIP xxx cid xxx mismatched auth password from Interface nnn not present, deleting from configHWAccel nnn not present, deleting from config Interface nnn replaced, deleting from configAppendix C System messages NN46110-602 Configuring the Cisco 2514 router, Version Appendix D Configuring for interoperabilityVPN Router and Cisco 2514 network topology NN46110-602 Following is a show config command Configuring the VPN Router for Cisco interoperability Appendix D Configuring for interoperability Mask Connecting to IRE SafeNET/Soft-PK Security Policy ClientClick Pre-Shared Key 10.42SafeNet/Soft-PK Security Policy Editor dialog box appears Go to Profiles Networks and click Edit Configuring the VPN Router for IRE interoperabilityEncapsulation Protocol ESP SA Life Seconds and 3000 SecondsThird-party client installation Considerations for using third-party clients Appendix D Configuring for interoperability Configuring the VPN Router as a branch office tunnel Set Perfect Forward Secrecy PFS to match the client side Configuring the VPN Router as a user tunnelTo configure the VPN Router as a user tunnel Configuring IPX IPX client Windows NT IPX group configurationSample IPX VPN Router topology Windows 95 and WindowsIPX topology Nortel VPN Router Troubleshooting Appendix D Configuring for interoperability NN46110-602 Index Index Pptp Wins