Nortel VPN Router Troubleshooting
Restricted rights legend
Copyright 2007 Nortel Networks. All rights reserved
Trademarks
Statement of conditions
Nortel VPN Router Troubleshooting
Nortel Networks Inc. software license agreement
General
Contents
Chapter Status and logging
Chapter Troubleshooting
Chapter Packet capture
Appendix a MIB support
Appendix B Using serial PPP
Index
Contents NN46110-602
Figures
Figures NN46110-602
Tables
Tables NN46110-602
Before you begin
Text conventions
Italic text
Acronyms
L2TP
Related publications
Hard-copy technical manuals How to get help
Finding the latest updates on the Nortel Web site
Getting help over the phone from a Nortel Solutions Center
Getting help from the Nortel Web site
Getting help through a Nortel distributor or reseller
Features
New in this release
Snmp interface index enhancement
Automatic backups
Pcap enhancements
Chapter VPN Router administration
Administrator settings
VPN Router administration
Dynamic password
Tools
System configuration
File management
Simple Network Management Protocol Snmp
VPN Router administration
Click Enable for User IP Address Pool
Admin Snmp Traps window
To configure the amount
Chapter Status and logging
Sessions
Reports
Statistics
System
Health check
Accounting
Accounting records
Radius accounting
Data collection task
Timestamp
Logs
Event log
Select Status Event Log
Event logs
Capture and display filters
Configure Display Entity
System log
Security log
Configuration log
Chapter Administrative tasks
Shutdown
Using the recovery diskette
Recovery
Accessing the diskette drive
Recovery Diskette window
Software/backup/v101/SN01001
Administrative tasks
Automatic backups
Triggering a backup when a file or directory changes
Using the GUI for automatic backup
Transferring backup files through Sftp
Select Admin Auto Backup
Automatic Backup window appears. Figure
Click Configure Specific Backup
Specific Automatic Backup window
To overwrite a file, click Overwrite files at destination
Using the CLI for automatic backup
Backing up changes to specific files or directories
Stopping the backup of specific files and directories
Backing up specific files and directories
Using Sftp to transfer backup files
Stopping the transfer of backup files using Sftp
Upgrading the software
Disabling new logins
Select Admin Shutdown Click Disable new logins. Figure
Select Admin File System
Checking available disk space
Creating a control tunnel to upgrade from a remote location
Backing up system files
Creating a recovery diskette
Select Admin Recovery and click Create Diskette
Select Admin Upgrades
Retrieving the new software
FTP menu example
Before completing the upgrade
Internal Radius Accounting Interim Radius Accounting Record
Applying the software
After you upgrade the software
Select Admin Shutdown and deselect Disable new logins
Administrative tasks
Chapter Troubleshooting
Troubleshooting tools
Client-based tools
System-based tools
Other tools
Solving connectivity problems
Diagnosing client connectivity problems
Common client connectivity problems
Remote host not responding
Login not allowed at this time
Authentication failed
Maximum number of sessions reached
Extranet connection lost
Other IPsec errors
No proposal chosen
Problems with name resolution using DNS services
Network browsing problems
Cannot browse the network with NetBEUI
Troubleshooting
Diagnosing WAN link problems
Check the T1/V.35 interface
Check the Hdlc framing
Check the PPP layer
Eliminating modem errors
Solving performance problems
Performance tips for configuring Microsoft networking
Hardware encryption accelerator connectivity
What should be configured on the Pptp or IPsec client?
Why should Wins settings be different for extranet access?
What Wins settings are recommended?
What can you try on the Wins server when it is not working?
Can I control which machine is the master browser?
Why are subnet masks important?
What should I do about subnets?
Why cant I browse another client in a different tunnel?
Troubleshooting
Additional information
Solving general problems
Web browser problems and the VPN Client Manager
Improving performance with Internet Explorer
Long delays when Web browsing
Enabling Web browser options
Internal error message
Web browser error messages
Clearing your Web browser cache when upgrading
Clearing cache
Document not found message
New administrator login ignored
Excess resource consumption using Internet Explorer
Internet Explorer 4.0 multiple help windows
Power failure
Reporting a problem with a Web browser
System problems
Distorted background images
Group and user profile settings not saved
Select Servers Ldap Click Stop Server
Solving routing problems
Client address redistribution problems
An error occurred while communicating with the VPN Router
Solving firewall problems
An error occurred while parsing the policy
Action Close the Stateful Firewall Manager
Unable to communicate with the VPN Router
Authorization failed. Please try again
Contents of the database may have changed
Deselect Cache JARs in Memory
System files were not loaded properly
Action
Troubleshooting NN46110-602
Chapter Packet capture
Pcap features
Security features
File format
Tunnel captures
Capture types
Physical interface captures
Global IP captures
Triggers
Filters and triggers
Capture filters
Saving captured data
Memory considerations
Performance considerations
Enabling packet capture on a VPN Router
Enter Privileged Exec mode
Serial main menu appears
Setting the Pcap file path
Capturing packets to disk file
Setting the maximum number of disk capture files
Setting the size of the RAM buffer
Setting the size of a disk capture file
Creating a capture object
Configuring and running packet capture objects
Saving captured data
Configuring a capture object
CES#capture ether0
Tunnel capture parameters
Using the show capture command to display capture status
Starting, stopping, and saving capture objects
CES# show capture
Exit Capture Configuration mode
Sample packet capture configurations
Interface capture object using a filter and direction
Interface capture object using triggers
CES#show capture test-filter-in
CES#capture test-trigger start
Tunnel capture object using a remote IP address
CES#show capture test-trigger Capture state Stopped by stop
Locate the Microsoft Windows row and click local archive
Installing Ethereal software
Viewing a packet capture output file on a PC
Click ethereal-setup-n.nn.n.exe
Saving, downloading, and viewing Pcap files
Viewing a Pcap file with Sniffer Pro
Global IP capture
Deleting capture objects and disabling packet capture
Click Tools Options Protocol Forcing
CES# no capture test-trigger
Packet capture NN46110-602
Novell RIP-SAP MIB
Snmp RFC support
Novell IPX MIB
RFC 1850-OSPF Version 2 Management Information Base
RFC 2667-IP Tunnel MIB
RFC 1724-RIP Version 2 MIB Extension
RFC 1213-Network Management of TCP/IP-Based Internets
RFC 2787-VRRP MIB
RFC 2737-Entity MIB
RFC 2571-Snmp-Framework MIB
RFC 1573-IanaIfType MIB
RFC 2233-If MIB
RFC2790-Host Resources MIB
RFC2495-DS1 MIB
RFC2863 Interface MIB 64 bit counters support
VPN Router MIB
Cestraps.mib-Nortel proprietary MIB
TRAP-TYPE
Variables
Newoak.mib
Hardware-related traps
Appendix a MIB support
Appendix a MIB support
Appendix a MIB support
Server-related traps
Appendix a MIB support
Login-related traps
Software-related traps
Intrusion-related traps
System-related traps
Information passed with every trap
Provides trap categories and explanations
Provides descriptions for the VPN Router traps
Appendix a MIB support VPN Router traps MIB descriptions
Appendix a MIB support VPN Router traps MIB descriptions
Attached
Failed
Please note that X corresponds to
Is not reachable and at least one
Appendix a MIB support
Appendix a MIB support VPN Router traps MIB descriptions
IfReasonForStatus-ces-reason for the change in status
Appendix a MIB support VPN Router traps MIB descriptions
That triggered this event
Appendix a MIB support VPN Router traps MIB descriptions
Appendix a MIB support VPN Router traps MIB descriptions
That triggered this event
Appendix B Using serial PPP
Establishing a serial PPP connection
Setting up a Dial-Up Networking connection
Double-click the Microsoft Dial-Up Networking icon
Select System Settings
Setting up the VPN Router
Setting up the modem
Appendix B Using serial PPP
Cause
Troubleshooting Serial PPP
Dialing in to the VPN Router
Actions
Action
PPP option settings
Appendix B Using serial PPP NN46110-602
Certificate messages
Error removing CA certificate file
Installed new CA certificate from file
TCert task creation failed
TCert X.509 certificates disabled in flash memory
TCert Shutdown complete
Isakmp messages
Isakmp 13 No proposal chosen in message from xxx a.b.c.d
Isakmp 13 Authentication failure in message from xxx a.b.c.d
Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging out
No response from client-logging out
Couldnt install route for remxxx@xxx
Branch office messages
Checking chain invalid child cert
SSL messages
Checking chain invalid parent cert
Child cert xxx not valid signature by xxx
No matching trusted CA certs
Configuration file xxx does not exist
Database messages
Failed to start
Account xxxxxx uid xxx not found in account
Ldif file could not restore
Security messages
AuthServer ldap inconsistent no server type in entry
Security store new system name xxx failed-xxx
Conn backlog reached, possible SYN attack
Security store new system IP address xxx failed-xxx
Error copying tree xxx to
Error copying entry xxx to
Error copying subentries of xxx to
Security store new system subnet mask xxx failed-xxx
SchemaCls Database schema not available
Error deleting entry
Error deleting tree
LocalAuthServer failed remove-xxx
Xxx xxx being referenced by
Session xxx uid invalid-authentication failed
Session xxxxxx invalid uid-authentication failed
Session xxxxxx session rejected-system is initializing
Session xxxxxxxxx xxx auth method not allowed
Session xxxxxxxxx AddLink failed xxx current links
Session xxxxxxxxx IP address assignment failed
Session xxxxxxxxx L2TP host xxx account misconfigured
Session xxxxxxxxx account is disabled
Session xxxxxxxxx account has max links
Session xxxxxxxxx connect Qos level xxx full
Session xxxxxxxxx authentication failed using
Session xxxxxxxxx account not allowed now
Session xxxxxxxxx no memory free xxx threshold
Session xxxxxxxxx login rejected new logins disabled
Disable logins after restart checkbox is selected
Session xxxxxxxxx only one session/static address allowed
Session xxxxxxxxx static address xxx already in use
Session xxxxxxxxx pool address xxx already in use
Session xxxxxxxxx session directed to use server
Session xxxxxxxxx system has max sessions
Radius server-name server timed out
Radius accounting messages
Radius no reply from server server-nameport number
Non-matching ID in server response
Radius server-name server failed
Indicated packet length too large
Response OK
Unsupported response type number received from server
Received bad attribute type from server
Radius user-name accounting record sent to server-name OK
Radius no reply from Radius server server-nameport number
Radius authentication messages
Login failure due to Server network connection failure
Radius server-name server timed out authenticating user-name
Non-matching id in server response
Radius server rejected access
Radius server returned access challenge
Radius access challenge received
Radius server-name sent challenge for user-name
Ospf Disabled
Radius user-name access Denied by server server-name
Radius user-name access OK by server server-name
Routing messages
Opened OSPF-RTM connection
Ospf Enabled
Closing OSPF-RTM connection
LoadOspfIntf Failed
Can not accept x.x.x.x as router id
LoadOspfAreas Failed
VR xxx Starting xxx as Master for
VR xxx Shutting down xxx on
VR xxx Starting xxx as Backup for
VR xxx Starting xxx as master delayed Backup for
RIP xxx RIP Disabled
Unable to get configuration for VR
RIP xxx RIP Enabled
RIP xxx Cant alloc main node
RIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failed
RIP xxx Circuit xxx deleted
RIP xxx Unable to register with UDP
RIP xxx bind RIP socket xxx failed
Interface nnn not present, deleting from config
RIP xxx Unable to spawn timer task xxx for RIP
RIP xxx cid xxx mismatched auth password from
Interface nnn replaced, resetting config
Interface nnn replaced, deleting from config
HWAccel nnn not present, deleting from config
Appendix C System messages NN46110-602
Appendix D Configuring for interoperability
Configuring the Cisco 2514 router, Version
VPN Router and Cisco 2514 network topology NN46110-602
Following is a show config command
Configuring the VPN Router for Cisco interoperability
Appendix D Configuring for interoperability
Connecting to IRE SafeNET/Soft-PK Security Policy Client
Mask
10.42
Click Pre-Shared Key
SafeNet/Soft-PK Security Policy Editor dialog box appears
SA Life Seconds and 3000 Seconds
Configuring the VPN Router for IRE interoperability
Encapsulation Protocol ESP
Go to Profiles Networks and click Edit
Third-party client installation
Considerations for using third-party clients
Appendix D Configuring for interoperability
Configuring the VPN Router as a branch office tunnel
Configuring the VPN Router as a user tunnel
Set Perfect Forward Secrecy PFS to match the client side
To configure the VPN Router as a user tunnel
Configuring IPX
IPX client
Windows 95 and Windows
IPX group configuration
Sample IPX VPN Router topology
Windows NT
IPX topology Nortel VPN Router Troubleshooting
Appendix D Configuring for interoperability NN46110-602
Index
Index
Pptp
Wins
