Nortel VPN Router Troubleshooting
Copyright 2007 Nortel Networks. All rights reserved
Trademarks
Restricted rights legend
Statement of conditions
Nortel VPN Router Troubleshooting
Nortel Networks Inc. software license agreement
General
Contents
Chapter Status and logging
Chapter Troubleshooting
Chapter Packet capture
Appendix a MIB support
Appendix B Using serial PPP
Index
Contents NN46110-602
Figures
Figures NN46110-602
Tables
Tables NN46110-602
Before you begin
Text conventions
Italic text
Acronyms
L2TP
Related publications
Hard-copy technical manuals How to get help
Finding the latest updates on the Nortel Web site
Getting help over the phone from a Nortel Solutions Center
Getting help from the Nortel Web site
Getting help through a Nortel distributor or reseller
Features
New in this release
Pcap enhancements
Automatic backups
Snmp interface index enhancement
Chapter VPN Router administration
Administrator settings
VPN Router administration
Dynamic password
Tools
System configuration
File management
Simple Network Management Protocol Snmp
VPN Router administration
Click Enable for User IP Address Pool
Admin Snmp Traps window
To configure the amount
Chapter Status and logging
Sessions
Reports
Health check
System
Statistics
Accounting
Accounting records
Radius accounting
Data collection task
Timestamp
Logs
Event log
Select Status Event Log
Event logs
Capture and display filters
Configure Display Entity
System log
Security log
Configuration log
Chapter Administrative tasks
Shutdown
Accessing the diskette drive
Recovery
Using the recovery diskette
Recovery Diskette window
Software/backup/v101/SN01001
Administrative tasks
Automatic backups
Using the GUI for automatic backup
Transferring backup files through Sftp
Triggering a backup when a file or directory changes
Select Admin Auto Backup
Automatic Backup window appears. Figure
Click Configure Specific Backup
Specific Automatic Backup window
To overwrite a file, click Overwrite files at destination
Using the CLI for automatic backup
Backing up specific files and directories
Stopping the backup of specific files and directories
Backing up changes to specific files or directories
Using Sftp to transfer backup files
Stopping the transfer of backup files using Sftp
Select Admin Shutdown Click Disable new logins. Figure
Disabling new logins
Upgrading the software
Select Admin File System
Checking available disk space
Creating a control tunnel to upgrade from a remote location
Select Admin Recovery and click Create Diskette
Creating a recovery diskette
Backing up system files
Select Admin Upgrades
Retrieving the new software
FTP menu example
Before completing the upgrade
Internal Radius Accounting Interim Radius Accounting Record
Select Admin Shutdown and deselect Disable new logins
After you upgrade the software
Applying the software
Administrative tasks
Chapter Troubleshooting
Troubleshooting tools
Client-based tools
System-based tools
Other tools
Solving connectivity problems
Diagnosing client connectivity problems
Common client connectivity problems
Login not allowed at this time
Authentication failed
Remote host not responding
Maximum number of sessions reached
No proposal chosen
Other IPsec errors
Extranet connection lost
Problems with name resolution using DNS services
Network browsing problems
Cannot browse the network with NetBEUI
Troubleshooting
Diagnosing WAN link problems
Check the T1/V.35 interface
Check the Hdlc framing
Check the PPP layer
Solving performance problems
Performance tips for configuring Microsoft networking
Eliminating modem errors
Hardware encryption accelerator connectivity
What should be configured on the Pptp or IPsec client?
Why should Wins settings be different for extranet access?
What Wins settings are recommended?
What can you try on the Wins server when it is not working?
Can I control which machine is the master browser?
Why are subnet masks important?
What should I do about subnets?
Why cant I browse another client in a different tunnel?
Troubleshooting
Additional information
Solving general problems
Web browser problems and the VPN Client Manager
Enabling Web browser options
Long delays when Web browsing
Improving performance with Internet Explorer
Web browser error messages
Clearing your Web browser cache when upgrading
Internal error message
Clearing cache
New administrator login ignored
Excess resource consumption using Internet Explorer
Document not found message
Internet Explorer 4.0 multiple help windows
Reporting a problem with a Web browser
System problems
Power failure
Distorted background images
Group and user profile settings not saved
Select Servers Ldap Click Stop Server
Solving routing problems
Client address redistribution problems
Solving firewall problems
An error occurred while parsing the policy
An error occurred while communicating with the VPN Router
Action Close the Stateful Firewall Manager
Contents of the database may have changed
Authorization failed. Please try again
Unable to communicate with the VPN Router
Action
System files were not loaded properly
Deselect Cache JARs in Memory
Troubleshooting NN46110-602
Chapter Packet capture
Pcap features
Security features
File format
Physical interface captures
Capture types
Tunnel captures
Global IP captures
Capture filters
Filters and triggers
Triggers
Saving captured data
Memory considerations
Performance considerations
Enabling packet capture on a VPN Router
Enter Privileged Exec mode
Serial main menu appears
Setting the Pcap file path
Capturing packets to disk file
Setting the size of a disk capture file
Setting the size of the RAM buffer
Setting the maximum number of disk capture files
Saving captured data
Configuring and running packet capture objects
Creating a capture object
Configuring a capture object
CES#capture ether0
Tunnel capture parameters
Using the show capture command to display capture status
Starting, stopping, and saving capture objects
CES# show capture
Interface capture object using a filter and direction
Sample packet capture configurations
Exit Capture Configuration mode
Interface capture object using triggers
CES#show capture test-filter-in
CES#capture test-trigger start
Tunnel capture object using a remote IP address
CES#show capture test-trigger Capture state Stopped by stop
Viewing a packet capture output file on a PC
Installing Ethereal software
Locate the Microsoft Windows row and click local archive
Click ethereal-setup-n.nn.n.exe
Saving, downloading, and viewing Pcap files
Viewing a Pcap file with Sniffer Pro
Global IP capture
Deleting capture objects and disabling packet capture
Click Tools Options Protocol Forcing
CES# no capture test-trigger
Packet capture NN46110-602
Snmp RFC support
Novell IPX MIB
Novell RIP-SAP MIB
RFC 1850-OSPF Version 2 Management Information Base
RFC 1213-Network Management of TCP/IP-Based Internets
RFC 1724-RIP Version 2 MIB Extension
RFC 2667-IP Tunnel MIB
RFC 2787-VRRP MIB
RFC 2737-Entity MIB
RFC 1573-IanaIfType MIB
RFC 2233-If MIB
RFC 2571-Snmp-Framework MIB
RFC2790-Host Resources MIB
RFC2495-DS1 MIB
RFC2863 Interface MIB 64 bit counters support
VPN Router MIB
Cestraps.mib-Nortel proprietary MIB
TRAP-TYPE
Variables
Newoak.mib
Hardware-related traps
Appendix a MIB support
Appendix a MIB support
Appendix a MIB support
Server-related traps
Appendix a MIB support
Login-related traps
Software-related traps
Intrusion-related traps
System-related traps
Information passed with every trap
Provides trap categories and explanations
Provides descriptions for the VPN Router traps
Appendix a MIB support VPN Router traps MIB descriptions
Appendix a MIB support VPN Router traps MIB descriptions
Attached
Failed
Please note that X corresponds to
Is not reachable and at least one
Appendix a MIB support
Appendix a MIB support VPN Router traps MIB descriptions
IfReasonForStatus-ces-reason for the change in status
Appendix a MIB support VPN Router traps MIB descriptions
That triggered this event
Appendix a MIB support VPN Router traps MIB descriptions
Appendix a MIB support VPN Router traps MIB descriptions
That triggered this event
Appendix B Using serial PPP
Establishing a serial PPP connection
Setting up a Dial-Up Networking connection
Double-click the Microsoft Dial-Up Networking icon
Setting up the modem
Setting up the VPN Router
Select System Settings
Appendix B Using serial PPP
Troubleshooting Serial PPP
Dialing in to the VPN Router
Cause
Actions
Action
PPP option settings
Appendix B Using serial PPP NN46110-602
Installed new CA certificate from file
Error removing CA certificate file
Certificate messages
TCert Shutdown complete
TCert X.509 certificates disabled in flash memory
TCert task creation failed
Isakmp messages
Isakmp 13 No proposal chosen in message from xxx a.b.c.d
Isakmp 13 Authentication failure in message from xxx a.b.c.d
Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging out
No response from client-logging out
Couldnt install route for remxxx@xxx
Branch office messages
SSL messages
Checking chain invalid parent cert
Checking chain invalid child cert
Child cert xxx not valid signature by xxx
Configuration file xxx does not exist
Database messages
No matching trusted CA certs
Failed to start
Ldif file could not restore
Security messages
Account xxxxxx uid xxx not found in account
AuthServer ldap inconsistent no server type in entry
Security store new system IP address xxx failed-xxx
Conn backlog reached, possible SYN attack
Security store new system name xxx failed-xxx
Error copying entry xxx to
Error copying subentries of xxx to
Error copying tree xxx to
Security store new system subnet mask xxx failed-xxx
Error deleting entry
Error deleting tree
SchemaCls Database schema not available
LocalAuthServer failed remove-xxx
Session xxx uid invalid-authentication failed
Session xxxxxx invalid uid-authentication failed
Xxx xxx being referenced by
Session xxxxxx session rejected-system is initializing
Session xxxxxxxxx xxx auth method not allowed
Session xxxxxxxxx AddLink failed xxx current links
Session xxxxxxxxx L2TP host xxx account misconfigured
Session xxxxxxxxx account is disabled
Session xxxxxxxxx IP address assignment failed
Session xxxxxxxxx account has max links
Session xxxxxxxxx account not allowed now
Session xxxxxxxxx authentication failed using
Session xxxxxxxxx connect Qos level xxx full
Session xxxxxxxxx login rejected new logins disabled
Disable logins after restart checkbox is selected
Session xxxxxxxxx no memory free xxx threshold
Session xxxxxxxxx only one session/static address allowed
Session xxxxxxxxx pool address xxx already in use
Session xxxxxxxxx session directed to use server
Session xxxxxxxxx static address xxx already in use
Session xxxxxxxxx system has max sessions
Radius no reply from server server-nameport number
Radius accounting messages
Radius server-name server timed out
Indicated packet length too large
Radius server-name server failed
Non-matching ID in server response
Unsupported response type number received from server
Received bad attribute type from server
Response OK
Radius user-name accounting record sent to server-name OK
Login failure due to Server network connection failure
Radius authentication messages
Radius no reply from Radius server server-nameport number
Radius server-name server timed out authenticating user-name
Non-matching id in server response
Radius server returned access challenge
Radius access challenge received
Radius server rejected access
Radius server-name sent challenge for user-name
Radius user-name access Denied by server server-name
Radius user-name access OK by server server-name
Ospf Disabled
Routing messages
Closing OSPF-RTM connection
Ospf Enabled
Opened OSPF-RTM connection
Can not accept x.x.x.x as router id
LoadOspfAreas Failed
LoadOspfIntf Failed
VR xxx Starting xxx as Master for
VR xxx Starting xxx as master delayed Backup for
VR xxx Starting xxx as Backup for
VR xxx Shutting down xxx on
Unable to get configuration for VR
RIP xxx RIP Enabled
RIP xxx RIP Disabled
RIP xxx Cant alloc main node
RIP xxx Circuit xxx deleted
RIP xxx Unable to register with UDP
RIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failed
RIP xxx bind RIP socket xxx failed
RIP xxx Unable to spawn timer task xxx for RIP
RIP xxx cid xxx mismatched auth password from
Interface nnn not present, deleting from config
Interface nnn replaced, resetting config
Interface nnn replaced, deleting from config
HWAccel nnn not present, deleting from config
Appendix C System messages NN46110-602
Appendix D Configuring for interoperability
Configuring the Cisco 2514 router, Version
VPN Router and Cisco 2514 network topology NN46110-602
Following is a show config command
Configuring the VPN Router for Cisco interoperability
Appendix D Configuring for interoperability
Connecting to IRE SafeNET/Soft-PK Security Policy Client
Mask
10.42
Click Pre-Shared Key
SafeNet/Soft-PK Security Policy Editor dialog box appears
Configuring the VPN Router for IRE interoperability
Encapsulation Protocol ESP
SA Life Seconds and 3000 Seconds
Go to Profiles Networks and click Edit
Third-party client installation
Considerations for using third-party clients
Appendix D Configuring for interoperability
Configuring the VPN Router as a branch office tunnel
Configuring the VPN Router as a user tunnel
Set Perfect Forward Secrecy PFS to match the client side
To configure the VPN Router as a user tunnel
Configuring IPX
IPX client
IPX group configuration
Sample IPX VPN Router topology
Windows 95 and Windows
Windows NT
IPX topology Nortel VPN Router Troubleshooting
Appendix D Configuring for interoperability NN46110-602
Index
Index
Pptp
Wins
