Nortel VPN Router Troubleshooting
Statement of conditions
Copyright 2007 Nortel Networks. All rights reserved
Trademarks
Restricted rights legend
Nortel Networks Inc. software license agreement
Nortel VPN Router Troubleshooting
General
Contents
Chapter Status and logging
Chapter Troubleshooting
Chapter Packet capture
Appendix a MIB support
Appendix B Using serial PPP
Index
Contents NN46110-602
Figures
Figures NN46110-602
Tables
Tables NN46110-602
Text conventions
Before you begin
Italic text
Acronyms
L2TP
Related publications
Finding the latest updates on the Nortel Web site
Hard-copy technical manuals How to get help
Getting help from the Nortel Web site
Getting help over the phone from a Nortel Solutions Center
Getting help through a Nortel distributor or reseller
New in this release
Features
Automatic backups
Pcap enhancements
Snmp interface index enhancement
Administrator settings
Chapter VPN Router administration
VPN Router administration
Tools
Dynamic password
File management
System configuration
Simple Network Management Protocol Snmp
VPN Router administration
Admin Snmp Traps window
Click Enable for User IP Address Pool
To configure the amount
Chapter Status and logging
Reports
Sessions
System
Health check
Statistics
Accounting records
Accounting
Data collection task
Radius accounting
Timestamp
Event log
Logs
Event logs
Select Status Event Log
Capture and display filters
Configure Display Entity
Security log
System log
Configuration log
Shutdown
Chapter Administrative tasks
Recovery
Accessing the diskette drive
Using the recovery diskette
Recovery Diskette window
Software/backup/v101/SN01001
Administrative tasks
Automatic backups
Select Admin Auto Backup
Using the GUI for automatic backup
Transferring backup files through Sftp
Triggering a backup when a file or directory changes
Automatic Backup window appears. Figure
Click Configure Specific Backup
To overwrite a file, click Overwrite files at destination
Specific Automatic Backup window
Using the CLI for automatic backup
Stopping the backup of specific files and directories
Backing up specific files and directories
Backing up changes to specific files or directories
Stopping the transfer of backup files using Sftp
Using Sftp to transfer backup files
Disabling new logins
Select Admin Shutdown Click Disable new logins. Figure
Upgrading the software
Checking available disk space
Select Admin File System
Creating a control tunnel to upgrade from a remote location
Creating a recovery diskette
Select Admin Recovery and click Create Diskette
Backing up system files
Retrieving the new software
Select Admin Upgrades
FTP menu example
Internal Radius Accounting Interim Radius Accounting Record
Before completing the upgrade
After you upgrade the software
Select Admin Shutdown and deselect Disable new logins
Applying the software
Administrative tasks
Chapter Troubleshooting
Client-based tools
Troubleshooting tools
Other tools
System-based tools
Diagnosing client connectivity problems
Solving connectivity problems
Common client connectivity problems
Maximum number of sessions reached
Login not allowed at this time
Authentication failed
Remote host not responding
Other IPsec errors
No proposal chosen
Extranet connection lost
Problems with name resolution using DNS services
Cannot browse the network with NetBEUI
Network browsing problems
Troubleshooting
Diagnosing WAN link problems
Check the T1/V.35 interface
Check the PPP layer
Check the Hdlc framing
Hardware encryption accelerator connectivity
Solving performance problems
Performance tips for configuring Microsoft networking
Eliminating modem errors
What should be configured on the Pptp or IPsec client?
What Wins settings are recommended?
Why should Wins settings be different for extranet access?
What can you try on the Wins server when it is not working?
Can I control which machine is the master browser?
Why are subnet masks important?
What should I do about subnets?
Why cant I browse another client in a different tunnel?
Troubleshooting
Additional information
Web browser problems and the VPN Client Manager
Solving general problems
Long delays when Web browsing
Enabling Web browser options
Improving performance with Internet Explorer
Clearing cache
Web browser error messages
Clearing your Web browser cache when upgrading
Internal error message
Internet Explorer 4.0 multiple help windows
New administrator login ignored
Excess resource consumption using Internet Explorer
Document not found message
Distorted background images
Reporting a problem with a Web browser
System problems
Power failure
Select Servers Ldap Click Stop Server
Group and user profile settings not saved
Client address redistribution problems
Solving routing problems
Action Close the Stateful Firewall Manager
Solving firewall problems
An error occurred while parsing the policy
An error occurred while communicating with the VPN Router
Authorization failed. Please try again
Contents of the database may have changed
Unable to communicate with the VPN Router
System files were not loaded properly
Action
Deselect Cache JARs in Memory
Troubleshooting NN46110-602
Chapter Packet capture
Pcap features
File format
Security features
Capture types
Physical interface captures
Tunnel captures
Global IP captures
Filters and triggers
Capture filters
Triggers
Memory considerations
Saving captured data
Performance considerations
Enabling packet capture on a VPN Router
Serial main menu appears
Enter Privileged Exec mode
Capturing packets to disk file
Setting the Pcap file path
Setting the size of the RAM buffer
Setting the size of a disk capture file
Setting the maximum number of disk capture files
Configuring and running packet capture objects
Saving captured data
Creating a capture object
Configuring a capture object
CES#capture ether0
Tunnel capture parameters
Starting, stopping, and saving capture objects
Using the show capture command to display capture status
CES# show capture
Sample packet capture configurations
Interface capture object using a filter and direction
Exit Capture Configuration mode
CES#show capture test-filter-in
Interface capture object using triggers
CES#capture test-trigger start
CES#show capture test-trigger Capture state Stopped by stop
Tunnel capture object using a remote IP address
Installing Ethereal software
Viewing a packet capture output file on a PC
Locate the Microsoft Windows row and click local archive
Saving, downloading, and viewing Pcap files
Click ethereal-setup-n.nn.n.exe
Global IP capture
Viewing a Pcap file with Sniffer Pro
Click Tools Options Protocol Forcing
Deleting capture objects and disabling packet capture
CES# no capture test-trigger
Packet capture NN46110-602
RFC 1850-OSPF Version 2 Management Information Base
Snmp RFC support
Novell IPX MIB
Novell RIP-SAP MIB
RFC 1724-RIP Version 2 MIB Extension
RFC 1213-Network Management of TCP/IP-Based Internets
RFC 2667-IP Tunnel MIB
RFC 2737-Entity MIB
RFC 2787-VRRP MIB
RFC2790-Host Resources MIB
RFC 1573-IanaIfType MIB
RFC 2233-If MIB
RFC 2571-Snmp-Framework MIB
RFC2495-DS1 MIB
VPN Router MIB
RFC2863 Interface MIB 64 bit counters support
TRAP-TYPE
Cestraps.mib-Nortel proprietary MIB
Variables
Newoak.mib
Hardware-related traps
Appendix a MIB support
Appendix a MIB support
Appendix a MIB support
Server-related traps
Appendix a MIB support
Software-related traps
Login-related traps
System-related traps
Intrusion-related traps
Information passed with every trap
Provides trap categories and explanations
Provides descriptions for the VPN Router traps
Appendix a MIB support VPN Router traps MIB descriptions
Appendix a MIB support VPN Router traps MIB descriptions
Attached
Failed
Please note that X corresponds to
Is not reachable and at least one
Appendix a MIB support
Appendix a MIB support VPN Router traps MIB descriptions
IfReasonForStatus-ces-reason for the change in status
Appendix a MIB support VPN Router traps MIB descriptions
That triggered this event
Appendix a MIB support VPN Router traps MIB descriptions
Appendix a MIB support VPN Router traps MIB descriptions
That triggered this event
Establishing a serial PPP connection
Appendix B Using serial PPP
Double-click the Microsoft Dial-Up Networking icon
Setting up a Dial-Up Networking connection
Setting up the VPN Router
Setting up the modem
Select System Settings
Appendix B Using serial PPP
Actions
Troubleshooting Serial PPP
Dialing in to the VPN Router
Cause
Action
PPP option settings
Appendix B Using serial PPP NN46110-602
Error removing CA certificate file
Installed new CA certificate from file
Certificate messages
TCert X.509 certificates disabled in flash memory
TCert Shutdown complete
TCert task creation failed
Isakmp 13 No proposal chosen in message from xxx a.b.c.d
Isakmp messages
Isakmp 13 Authentication failure in message from xxx a.b.c.d
No response from client-logging out
Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging out
Branch office messages
Couldnt install route for remxxx@xxx
Child cert xxx not valid signature by xxx
SSL messages
Checking chain invalid parent cert
Checking chain invalid child cert
Failed to start
Configuration file xxx does not exist
Database messages
No matching trusted CA certs
AuthServer ldap inconsistent no server type in entry
Ldif file could not restore
Security messages
Account xxxxxx uid xxx not found in account
Conn backlog reached, possible SYN attack
Security store new system IP address xxx failed-xxx
Security store new system name xxx failed-xxx
Security store new system subnet mask xxx failed-xxx
Error copying entry xxx to
Error copying subentries of xxx to
Error copying tree xxx to
LocalAuthServer failed remove-xxx
Error deleting entry
Error deleting tree
SchemaCls Database schema not available
Session xxxxxx session rejected-system is initializing
Session xxx uid invalid-authentication failed
Session xxxxxx invalid uid-authentication failed
Xxx xxx being referenced by
Session xxxxxxxxx AddLink failed xxx current links
Session xxxxxxxxx xxx auth method not allowed
Session xxxxxxxxx account has max links
Session xxxxxxxxx L2TP host xxx account misconfigured
Session xxxxxxxxx account is disabled
Session xxxxxxxxx IP address assignment failed
Session xxxxxxxxx authentication failed using
Session xxxxxxxxx account not allowed now
Session xxxxxxxxx connect Qos level xxx full
Session xxxxxxxxx only one session/static address allowed
Session xxxxxxxxx login rejected new logins disabled
Disable logins after restart checkbox is selected
Session xxxxxxxxx no memory free xxx threshold
Session xxxxxxxxx system has max sessions
Session xxxxxxxxx pool address xxx already in use
Session xxxxxxxxx session directed to use server
Session xxxxxxxxx static address xxx already in use
Radius accounting messages
Radius no reply from server server-nameport number
Radius server-name server timed out
Radius server-name server failed
Indicated packet length too large
Non-matching ID in server response
Radius user-name accounting record sent to server-name OK
Unsupported response type number received from server
Received bad attribute type from server
Response OK
Radius authentication messages
Login failure due to Server network connection failure
Radius no reply from Radius server server-nameport number
Radius server-name server timed out authenticating user-name
Non-matching id in server response
Radius server-name sent challenge for user-name
Radius server returned access challenge
Radius access challenge received
Radius server rejected access
Routing messages
Radius user-name access Denied by server server-name
Radius user-name access OK by server server-name
Ospf Disabled
Ospf Enabled
Closing OSPF-RTM connection
Opened OSPF-RTM connection
VR xxx Starting xxx as Master for
Can not accept x.x.x.x as router id
LoadOspfAreas Failed
LoadOspfIntf Failed
VR xxx Starting xxx as Backup for
VR xxx Starting xxx as master delayed Backup for
VR xxx Shutting down xxx on
RIP xxx Cant alloc main node
Unable to get configuration for VR
RIP xxx RIP Enabled
RIP xxx RIP Disabled
RIP xxx bind RIP socket xxx failed
RIP xxx Circuit xxx deleted
RIP xxx Unable to register with UDP
RIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failed
Interface nnn replaced, resetting config
RIP xxx Unable to spawn timer task xxx for RIP
RIP xxx cid xxx mismatched auth password from
Interface nnn not present, deleting from config
HWAccel nnn not present, deleting from config
Interface nnn replaced, deleting from config
Appendix C System messages NN46110-602
Configuring the Cisco 2514 router, Version
Appendix D Configuring for interoperability
VPN Router and Cisco 2514 network topology NN46110-602
Following is a show config command
Configuring the VPN Router for Cisco interoperability
Appendix D Configuring for interoperability
Mask
Connecting to IRE SafeNET/Soft-PK Security Policy Client
Click Pre-Shared Key
10.42
SafeNet/Soft-PK Security Policy Editor dialog box appears
Go to Profiles Networks and click Edit
Configuring the VPN Router for IRE interoperability
Encapsulation Protocol ESP
SA Life Seconds and 3000 Seconds
Third-party client installation
Considerations for using third-party clients
Appendix D Configuring for interoperability
Configuring the VPN Router as a branch office tunnel
Set Perfect Forward Secrecy PFS to match the client side
Configuring the VPN Router as a user tunnel
To configure the VPN Router as a user tunnel
Configuring IPX
IPX client
Windows NT
IPX group configuration
Sample IPX VPN Router topology
Windows 95 and Windows
IPX topology Nortel VPN Router Troubleshooting
Appendix D Configuring for interoperability NN46110-602
Index
Index
Pptp
Wins