Nortel VPN Router Troubleshooting
Trademarks
Copyright 2007 Nortel Networks. All rights reserved
Restricted rights legend
Statement of conditions
Nortel Networks Inc. software license agreement
Nortel VPN Router Troubleshooting
General
Contents
Chapter Status and logging
Chapter Troubleshooting
Chapter Packet capture
Appendix a MIB support
Appendix B Using serial PPP
Index
Contents NN46110-602
Figures
Figures NN46110-602
Tables
Tables NN46110-602
Text conventions
Before you begin
Italic text
Acronyms
L2TP
Related publications
Finding the latest updates on the Nortel Web site
Hard-copy technical manuals How to get help
Getting help from the Nortel Web site
Getting help over the phone from a Nortel Solutions Center
Getting help through a Nortel distributor or reseller
New in this release
Features
Pcap enhancements
Automatic backups
Snmp interface index enhancement
Administrator settings
Chapter VPN Router administration
VPN Router administration
Tools
Dynamic password
File management
System configuration
Simple Network Management Protocol Snmp
VPN Router administration
Admin Snmp Traps window
Click Enable for User IP Address Pool
To configure the amount
Chapter Status and logging
Reports
Sessions
Health check
System
Statistics
Accounting records
Accounting
Data collection task
Radius accounting
Timestamp
Event log
Logs
Event logs
Select Status Event Log
Capture and display filters
Configure Display Entity
Security log
System log
Configuration log
Shutdown
Chapter Administrative tasks
Accessing the diskette drive
Recovery
Using the recovery diskette
Recovery Diskette window
Software/backup/v101/SN01001
Administrative tasks
Automatic backups
Transferring backup files through Sftp
Using the GUI for automatic backup
Triggering a backup when a file or directory changes
Select Admin Auto Backup
Automatic Backup window appears. Figure
Click Configure Specific Backup
To overwrite a file, click Overwrite files at destination
Specific Automatic Backup window
Using the CLI for automatic backup
Backing up specific files and directories
Stopping the backup of specific files and directories
Backing up changes to specific files or directories
Stopping the transfer of backup files using Sftp
Using Sftp to transfer backup files
Select Admin Shutdown Click Disable new logins. Figure
Disabling new logins
Upgrading the software
Checking available disk space
Select Admin File System
Creating a control tunnel to upgrade from a remote location
Select Admin Recovery and click Create Diskette
Creating a recovery diskette
Backing up system files
Retrieving the new software
Select Admin Upgrades
FTP menu example
Internal Radius Accounting Interim Radius Accounting Record
Before completing the upgrade
Select Admin Shutdown and deselect Disable new logins
After you upgrade the software
Applying the software
Administrative tasks
Chapter Troubleshooting
Client-based tools
Troubleshooting tools
Other tools
System-based tools
Diagnosing client connectivity problems
Solving connectivity problems
Common client connectivity problems
Authentication failed
Login not allowed at this time
Remote host not responding
Maximum number of sessions reached
No proposal chosen
Other IPsec errors
Extranet connection lost
Problems with name resolution using DNS services
Cannot browse the network with NetBEUI
Network browsing problems
Troubleshooting
Diagnosing WAN link problems
Check the T1/V.35 interface
Check the PPP layer
Check the Hdlc framing
Performance tips for configuring Microsoft networking
Solving performance problems
Eliminating modem errors
Hardware encryption accelerator connectivity
What should be configured on the Pptp or IPsec client?
What Wins settings are recommended?
Why should Wins settings be different for extranet access?
What can you try on the Wins server when it is not working?
Can I control which machine is the master browser?
Why are subnet masks important?
What should I do about subnets?
Why cant I browse another client in a different tunnel?
Troubleshooting
Additional information
Web browser problems and the VPN Client Manager
Solving general problems
Enabling Web browser options
Long delays when Web browsing
Improving performance with Internet Explorer
Clearing your Web browser cache when upgrading
Web browser error messages
Internal error message
Clearing cache
Excess resource consumption using Internet Explorer
New administrator login ignored
Document not found message
Internet Explorer 4.0 multiple help windows
System problems
Reporting a problem with a Web browser
Power failure
Distorted background images
Select Servers Ldap Click Stop Server
Group and user profile settings not saved
Client address redistribution problems
Solving routing problems
An error occurred while parsing the policy
Solving firewall problems
An error occurred while communicating with the VPN Router
Action Close the Stateful Firewall Manager
Contents of the database may have changed
Authorization failed. Please try again
Unable to communicate with the VPN Router
Action
System files were not loaded properly
Deselect Cache JARs in Memory
Troubleshooting NN46110-602
Chapter Packet capture
Pcap features
File format
Security features
Physical interface captures
Capture types
Tunnel captures
Global IP captures
Capture filters
Filters and triggers
Triggers
Memory considerations
Saving captured data
Performance considerations
Enabling packet capture on a VPN Router
Serial main menu appears
Enter Privileged Exec mode
Capturing packets to disk file
Setting the Pcap file path
Setting the size of a disk capture file
Setting the size of the RAM buffer
Setting the maximum number of disk capture files
Saving captured data
Configuring and running packet capture objects
Creating a capture object
Configuring a capture object
CES#capture ether0
Tunnel capture parameters
Starting, stopping, and saving capture objects
Using the show capture command to display capture status
CES# show capture
Interface capture object using a filter and direction
Sample packet capture configurations
Exit Capture Configuration mode
CES#show capture test-filter-in
Interface capture object using triggers
CES#capture test-trigger start
CES#show capture test-trigger Capture state Stopped by stop
Tunnel capture object using a remote IP address
Viewing a packet capture output file on a PC
Installing Ethereal software
Locate the Microsoft Windows row and click local archive
Saving, downloading, and viewing Pcap files
Click ethereal-setup-n.nn.n.exe
Global IP capture
Viewing a Pcap file with Sniffer Pro
Click Tools Options Protocol Forcing
Deleting capture objects and disabling packet capture
CES# no capture test-trigger
Packet capture NN46110-602
Novell IPX MIB
Snmp RFC support
Novell RIP-SAP MIB
RFC 1850-OSPF Version 2 Management Information Base
RFC 1213-Network Management of TCP/IP-Based Internets
RFC 1724-RIP Version 2 MIB Extension
RFC 2667-IP Tunnel MIB
RFC 2737-Entity MIB
RFC 2787-VRRP MIB
RFC 2233-If MIB
RFC 1573-IanaIfType MIB
RFC 2571-Snmp-Framework MIB
RFC2790-Host Resources MIB
RFC2495-DS1 MIB
VPN Router MIB
RFC2863 Interface MIB 64 bit counters support
TRAP-TYPE
Cestraps.mib-Nortel proprietary MIB
Variables
Newoak.mib
Hardware-related traps
Appendix a MIB support
Appendix a MIB support
Appendix a MIB support
Server-related traps
Appendix a MIB support
Software-related traps
Login-related traps
System-related traps
Intrusion-related traps
Information passed with every trap
Provides trap categories and explanations
Provides descriptions for the VPN Router traps
Appendix a MIB support VPN Router traps MIB descriptions
Appendix a MIB support VPN Router traps MIB descriptions
Attached
Failed
Please note that X corresponds to
Is not reachable and at least one
Appendix a MIB support
Appendix a MIB support VPN Router traps MIB descriptions
IfReasonForStatus-ces-reason for the change in status
Appendix a MIB support VPN Router traps MIB descriptions
That triggered this event
Appendix a MIB support VPN Router traps MIB descriptions
Appendix a MIB support VPN Router traps MIB descriptions
That triggered this event
Establishing a serial PPP connection
Appendix B Using serial PPP
Double-click the Microsoft Dial-Up Networking icon
Setting up a Dial-Up Networking connection
Setting up the modem
Setting up the VPN Router
Select System Settings
Appendix B Using serial PPP
Dialing in to the VPN Router
Troubleshooting Serial PPP
Cause
Actions
Action
PPP option settings
Appendix B Using serial PPP NN46110-602
Installed new CA certificate from file
Error removing CA certificate file
Certificate messages
TCert Shutdown complete
TCert X.509 certificates disabled in flash memory
TCert task creation failed
Isakmp 13 No proposal chosen in message from xxx a.b.c.d
Isakmp messages
Isakmp 13 Authentication failure in message from xxx a.b.c.d
No response from client-logging out
Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging out
Branch office messages
Couldnt install route for remxxx@xxx
Checking chain invalid parent cert
SSL messages
Checking chain invalid child cert
Child cert xxx not valid signature by xxx
Database messages
Configuration file xxx does not exist
No matching trusted CA certs
Failed to start
Security messages
Ldif file could not restore
Account xxxxxx uid xxx not found in account
AuthServer ldap inconsistent no server type in entry
Security store new system IP address xxx failed-xxx
Conn backlog reached, possible SYN attack
Security store new system name xxx failed-xxx
Error copying subentries of xxx to
Error copying entry xxx to
Error copying tree xxx to
Security store new system subnet mask xxx failed-xxx
Error deleting tree
Error deleting entry
SchemaCls Database schema not available
LocalAuthServer failed remove-xxx
Session xxxxxx invalid uid-authentication failed
Session xxx uid invalid-authentication failed
Xxx xxx being referenced by
Session xxxxxx session rejected-system is initializing
Session xxxxxxxxx AddLink failed xxx current links
Session xxxxxxxxx xxx auth method not allowed
Session xxxxxxxxx account is disabled
Session xxxxxxxxx L2TP host xxx account misconfigured
Session xxxxxxxxx IP address assignment failed
Session xxxxxxxxx account has max links
Session xxxxxxxxx account not allowed now
Session xxxxxxxxx authentication failed using
Session xxxxxxxxx connect Qos level xxx full
Disable logins after restart checkbox is selected
Session xxxxxxxxx login rejected new logins disabled
Session xxxxxxxxx no memory free xxx threshold
Session xxxxxxxxx only one session/static address allowed
Session xxxxxxxxx session directed to use server
Session xxxxxxxxx pool address xxx already in use
Session xxxxxxxxx static address xxx already in use
Session xxxxxxxxx system has max sessions
Radius no reply from server server-nameport number
Radius accounting messages
Radius server-name server timed out
Indicated packet length too large
Radius server-name server failed
Non-matching ID in server response
Received bad attribute type from server
Unsupported response type number received from server
Response OK
Radius user-name accounting record sent to server-name OK
Login failure due to Server network connection failure
Radius authentication messages
Radius no reply from Radius server server-nameport number
Radius server-name server timed out authenticating user-name
Non-matching id in server response
Radius access challenge received
Radius server returned access challenge
Radius server rejected access
Radius server-name sent challenge for user-name
Radius user-name access OK by server server-name
Radius user-name access Denied by server server-name
Ospf Disabled
Routing messages
Closing OSPF-RTM connection
Ospf Enabled
Opened OSPF-RTM connection
LoadOspfAreas Failed
Can not accept x.x.x.x as router id
LoadOspfIntf Failed
VR xxx Starting xxx as Master for
VR xxx Starting xxx as master delayed Backup for
VR xxx Starting xxx as Backup for
VR xxx Shutting down xxx on
RIP xxx RIP Enabled
Unable to get configuration for VR
RIP xxx RIP Disabled
RIP xxx Cant alloc main node
RIP xxx Unable to register with UDP
RIP xxx Circuit xxx deleted
RIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failed
RIP xxx bind RIP socket xxx failed
RIP xxx cid xxx mismatched auth password from
RIP xxx Unable to spawn timer task xxx for RIP
Interface nnn not present, deleting from config
Interface nnn replaced, resetting config
HWAccel nnn not present, deleting from config
Interface nnn replaced, deleting from config
Appendix C System messages NN46110-602
Configuring the Cisco 2514 router, Version
Appendix D Configuring for interoperability
VPN Router and Cisco 2514 network topology NN46110-602
Following is a show config command
Configuring the VPN Router for Cisco interoperability
Appendix D Configuring for interoperability
Mask
Connecting to IRE SafeNET/Soft-PK Security Policy Client
Click Pre-Shared Key
10.42
SafeNet/Soft-PK Security Policy Editor dialog box appears
Encapsulation Protocol ESP
Configuring the VPN Router for IRE interoperability
SA Life Seconds and 3000 Seconds
Go to Profiles Networks and click Edit
Third-party client installation
Considerations for using third-party clients
Appendix D Configuring for interoperability
Configuring the VPN Router as a branch office tunnel
Set Perfect Forward Secrecy PFS to match the client side
Configuring the VPN Router as a user tunnel
To configure the VPN Router as a user tunnel
Configuring IPX
IPX client
Sample IPX VPN Router topology
IPX group configuration
Windows 95 and Windows
Windows NT
IPX topology Nortel VPN Router Troubleshooting
Appendix D Configuring for interoperability NN46110-602
Index
Index
Pptp
Wins
