Nortel NN46110-602 02.01 - Manuals

12 Preface NN46110-602 02.01 braces ({}) Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.Example: If the command syntax is ldap-server source {external | internal} , you m...

Preface 13 Nortel VPN Router Troubleshooting — Server vertical line ( | ) Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command.Example: If the command syntax is terminal paging { off | on } , you enter either ter...

14 Preface NN46110-602 02.01 Related publications For more information about the Nortel VPN Router, see the following publications: • Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds. • ...

Preface 15 Nortel VPN Router Troubleshooting — Server Hard-copy technical manuals You can print selected technical manuals and release notes free, directly from the Internet. Go to www.nortelnetworks.com/documentation , find the product for which you need documentation, then locate the specific cate...

16 Preface NN46110-602 02.01 Help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel pr...

Preface 17 Nortel VPN Router Troubleshooting — Server Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

19 Nortel VPN Router Troubleshooting — Server New in this release The following sections detail what’s new in Nortel VPN Router Troubleshooting — Server (NN46110-602) for Release 8.0: • “Features” on page 19 • “Other changes” on page 21 Features See the following sections for information about featu...

New in this release 21 Nortel VPN Router Troubleshooting — Server Supported software and hardware This document includes a matrix of features by release. For more information, see “Supported software and hardware” on page 23 . Two factor authentication Release 8.0 includes two factor authentication ...

22 New in this release NN46110-602 02.01 • Simple Network Management Protocol (SNMP) • system shutdown • automatic backups • disabling new logons • PPP configuration and options The following topics are moved to Nortel VPN Router Troubleshooting — Client (NN46110-700): • Diagnosing client connectivi...

23 Nortel VPN Router Troubleshooting — Server Chapter 1Troubleshooting fundamentals This chapter provides basic information to assist in troubleshooting. This chapter includes the following topics: • “Supported software and hardware” on page 23 • “PCAP” on page 33 • “Hardware LEDs” on page 40 Suppor...

Chapter 1 Troubleshooting fundamentals 33 Nortel VPN Router Troubleshooting — Server PCAP The Packet Capture tool (PCAP) is a troubleshooting tool that you use, in conjunction with other tools such as statistics, logging, network analyzers, and testers, to remotely troubleshoot the VPN Router and ne...

34 Chapter 1 Troubleshooting fundamentals NN46110-602 02.01 PCAP initially occurs to the RAM buffer. A low priority task writes the RAM buffer to disk files, called the disk capture files. Although you can configure the maximum size of this file, PCAP can continue to write the captured data. You spe...

Chapter 1 Troubleshooting fundamentals 35 Nortel VPN Router Troubleshooting — Server • limit the traffic that the filters capture • automatically start and stop packet capture with triggers Security features Packet capture on the VPN Router provides the following features to enhance security: • Pack...

36 Chapter 1 Troubleshooting fundamentals NN46110-602 02.01 Capture types The VPN Router captures packets from the following sources: • physical interfaces, including the following — Asynchronous digital subscriber line (ADSL) or asynchronous transfer mode (ATM) — Fast Ethernet and Gigabit Ethernet,...

Chapter 1 Troubleshooting fundamentals 37 Nortel VPN Router Troubleshooting — Server The router encapsulates tunnel captures saved to disk with raw IP encapsulation. When you convert these files to file formats that do not support raw IP encapsulation (including Sniffer), you need Layer 2 encapsulat...

38 Chapter 1 Troubleshooting fundamentals NN46110-602 02.01 A global IP capture object captures packets starting from the IP header; the capture object does not save Layer 2 header information in the capture file. Because the router captures both encrypted and decrypted packets, global IP packet cap...

Chapter 1 Troubleshooting fundamentals 39 Nortel VPN Router Troubleshooting — Server • A stop trigger causes the system to stop saving traffic in the capture buffer after the system encounters a specific packet that matches the stop trigger. The packet capture object, however, does not fully stop. A...

40 Chapter 1 Troubleshooting fundamentals NN46110-602 02.01 You can display the same information by entering the command show status statistics resources memory . Performance considerations Running packet capture can affect VPN Router performance. You can run only one capture object at a time for a ...

Chapter 1 Troubleshooting fundamentals 41 Nortel VPN Router Troubleshooting — Server The following table identifies the LEDs on a VPN Router 600. If the Boot LED and the Ready LED light at the same time, the Nortel VPN Router 600 is in recovery mode. The following table identifies the LEDs on a VPN ...

42 Chapter 1 Troubleshooting fundamentals NN46110-602 02.01 The following table identifies the LEDs on a VPN Router 1600. The following table identifies the LEDs on a VPN Router 1700, 1740, and 1750. Table 4 Nortel VPN Router 1600 LEDs LED Condition Indicates Nortel logo Blue The power is on. Off Th...

51 Nortel VPN Router Troubleshooting — Server Chapter 2Troubleshooting tools The VPN Router supports standard IP tools such as ping, Traceroute, and Address Resolution Protocol (ARP) show and delete. You access these tools through the Admin , Tools window. You can also use special tools beyond the s...

52 Chapter 2 Troubleshooting tools NN46110-602 02.01 • IP address—the address to ping • 1–999—(Optional) the number of echo requests to return • 1–4048—(Optional) the size of the ping request packet • source address|source hostname—(Optional) the source address or hostname of the outgoing ping reque...

Chapter 2 Troubleshooting tools 53 Nortel VPN Router Troubleshooting — Server 2 Provide the necessary details in the Trace Route section. 3 Click Traceroute . mtrace The multicast traceroute (mtrace) tool is a multicast diagnostic tool that uses special Internet Group Management Protocol (IGMP) pack...

56 Chapter 2 Troubleshooting tools NN46110-602 02.01 The default number of maximum hops is 32. • resp-ttl—(Optional) time-to-live (TTL) to use for the multicast response on the response packet The default response TTL is 64. • verbose—(Optional) show additional statistics like the route that forward...

Chapter 2 Troubleshooting tools 57 Nortel VPN Router Troubleshooting — Server 3 Click ARP Delete . Client-based tools IPsec VPN Client Monitor provides network statistics on device, connection, and network errors that help monitor traffic flow and assess IPsec connection performance. Statistic count...

58 Chapter 2 Troubleshooting tools NN46110-602 02.01 1 Choose Admin , Administrator . The Administrator window appears. 2 In the FTP Coredump section, select Enabled . 3 In the Host box, type the FTP server IP address. 4 In the Path box, type the directory path where you want to save the core dump f...

Chapter 2 Troubleshooting tools 59 Nortel VPN Router Troubleshooting — Server 5 On the PC, start HyperTerminal or another terminal emulation program, and then press Enter . The Welcome window appears. Welcome to the VPN Router Copyright (c) 2007 Nortel Networks Ltd. Version: V04_90.185 Creation date...

60 Chapter 2 Troubleshooting tools NN46110-602 02.01 The User EXEC prompt appears: CES> 8 Enter Privileged EXEC mode. CES> enable Password:***** 9 Enable packet capture globally on the VPN Router and create the capture password. Use this password to open capture files with the openpcap utility...

Chapter 2 Troubleshooting tools 61 Nortel VPN Router Troubleshooting — Server Capturing packets to disk file To configure PCAP, you must first enter CLI Capture Configuration mode. For more information about CLI Capture Configuration mode, see Nortel VPN Router Using the Command Line Interface (NN46...

62 Chapter 2 Troubleshooting tools NN46110-602 02.01 where size is the size of the RAM buffer. For example, enter CES(capture-ethernet) #buffersize 1048576 Setting the size of a disk capture file To configure the size of the disk capture file, from CLI Capture Configuration mode enter the following ...

Chapter 2 Troubleshooting tools 63 Nortel VPN Router Troubleshooting — Server or No capture-all For example, enter CES(capture-ethernet) #capture-all Configure and run packet capture objects This section provides instructions to create, configure, start, and stop capture objects, as well as instruct...

64 Chapter 2 Troubleshooting tools NN46110-602 02.01 In the following example, you create a capture object called test_ethernet1 that captures traffic on Ethernet interface 1/2. CES# capture add test_ethernet1 FastEthernet 1/2 CES# In the following example, you create a capture object called test_tu...

Chapter 2 Troubleshooting tools 65 Nortel VPN Router Troubleshooting — Server 2 Display all parameters that you can configure for that type of capture object. CES(capture-ethernet)# ? Packet capture mode direction Captures in one direction exit Exits capture mode filter Applies interface traffic fil...

66 Chapter 2 Troubleshooting tools NN46110-602 02.01 Tunnel capture parameters Capture objects for tunnels use several unique parameters. The following example creates a tunnel object called bot1 , navigates to Capture Configuration mode, and displays the commands for tunnel objects. The bold comman...

Chapter 2 Troubleshooting tools 67 Nortel VPN Router Troubleshooting — Server Global IP parameters The configurable parameters for the global IP capture object are the same as the parameters available for physical interface objects. The following example creates a global capture object called rawip ...

68 Chapter 2 Troubleshooting tools NN46110-602 02.01 In the following example, the show capture command is run with no object name to display a list of all the capture objects configured on the VPN Router. CES# show capture Name Type Size Buffer use Count State bot1 TUNNEL 1048576 0% 0 EMPTY ether0 ...

Chapter 2 Troubleshooting tools 69 Nortel VPN Router Troubleshooting — Server Sample packet capture configurations This section provides sample configurations and the commands used to create them. Interface capture object using a filter and direction In the following example, you configure a capture...

70 Chapter 2 Troubleshooting tools NN46110-602 02.01 To view the status of the running capture object, as well as its configuration, use the show capture command. In this example, the buffer captures 20 frames. CES# show capture test-filter-in Capture state: RUNNING Capture buffer size: 1048576 Capt...

72 Chapter 2 Troubleshooting tools NN46110-602 02.01 CES# show capture test-trigger Capture state: RUNNING Capture buffer size: 1048576 Capture type: ETHERNET Capturing on interface: FastEthernet 0/1 Promiscuous mode is: DISABLED Capturing MAX octets per frame: 4096 Captured frames: 107 Capture buff...

Chapter 2 Troubleshooting tools 73 Nortel VPN Router Troubleshooting — Server To stop the capture object and save the buffer contents to a file called test4.cap , enter the following commands: CES# capture test-trigger stop CES# capture test-trigger save test4.cap Saving capture test-trigger to file...

74 Chapter 2 Troubleshooting tools NN46110-602 02.01 View a packet capture output file on a PC After you save a capture buffer to a file on the VPN Router disk, download the file to a workstation, and analyze the contents offline using one of many available tools. The VPN Router does not provide uti...

Chapter 2 Troubleshooting tools 75 Nortel VPN Router Troubleshooting — Server 3 On the VPN Router, stop the packet capture object and save the output to a file, for example CES# capture ethernet1 stop CES# capture ethernet1 save ethernet.cap Saving capture ethernet to file /ide0/ethernet.cap please ...

76 Chapter 2 Troubleshooting tools NN46110-602 02.01 1 Install Ethereal software (for more information, see “Installing Ethereal software” on page 74 ). 2 Save the packet capture file and download it to the PC as described in steps 1 to 6 of “Saving, downloading, and viewing PCAP files” on page 74 ....

Chapter 2 Troubleshooting tools 77 Nortel VPN Router Troubleshooting — Server Deleting capture objects and disabling packet capture After you no longer need a capture object, delete it to free memory. You can also disable packet capture globally to remove all configured capture objects, and free the...

78 Chapter 2 Troubleshooting tools NN46110-602 02.01 TunnelGuard tools You can use several sources of information when you initially configure or troubleshoot TunnelGuard. TunnelGuard places an icon in the system tray. If a status message exists because a Software Requirement Set (SRS) check failed,...

Chapter 2 Troubleshooting tools 79 Nortel VPN Router Troubleshooting — Server Other tools Table 12 “Troubleshooting tools” on page 79 lists the tools that you can use to diagnose connectivity problems from Windows NT, Windows 2000, and Windows XP workstations. System configuration Use the Admin , Co...

81 Nortel VPN Router Troubleshooting — Server Chapter 3Status and logging The Status windows show which users log on, their traffic demands, and a summary of the VPN Router hardware configuration, including available memory and disk space. This chapter includes the following topics: • “Introduction”...

82 Chapter 3 Status and logging NN46110-602 02.01 The event log captures real-time logging over a relatively short period of time (for example, the event log can wrap 2000 possible entries in minutes). The system log captures data over a longer period of time, up to 61 days. Most events log to the e...

Chapter 3 Status and logging 83 Nortel VPN Router Troubleshooting — Server At midnight (12:00 a.m.), the data collection task performs summary calculations and rewrites history files, along with other management and cleanup functions. To perform this task, leave the VPN Router running overnight. The...

84 Chapter 3 Status and logging NN46110-602 02.01 In normal operation and routine troubleshooting, you need not examine many of these windows. Some of the information, such as routing information, is also available through other areas, such as System , Routing. Accounting The accounting log provides...

Chapter 3 Status and logging 85 Nortel VPN Router Troubleshooting — Server The data collection system stores records in text-based files stored in the system/dclog subdirectory. The system stores the most recent 60 days of data. The system stores daily files, summary files, and summary history files...

86 Chapter 3 Status and logging NN46110-602 02.01 • Summary file, summary.dc, with exactly five records that contain summary data. These values give historical graphs and reports about specific values. • Summary history file that contains records representing cumulative daily data for the most recen...

Chapter 3 Status and logging 87 Nortel VPN Router Troubleshooting — Server Logs The VPN Router uses several logs that provide different levels of information. The router stores the logs in text files, and the logs indicate what happened, when the event occurred, and the IP address and user ID of the...

Chapter 3 Status and logging 89 Nortel VPN Router Troubleshooting — Server 17 Click Refresh to display new log entries. 18 Click Reverse Chronological Order to log in reverse chronological order. System log The system log contains all system events that are significant enough to write to disk, inclu...

90 Chapter 3 Status and logging NN46110-602 02.01 • encryption, authentication, or compression • hours of access • number of session violations • communications with servers • LDAP • Remote Authentication Dial-In User Service (RADIUS) Configuration log The Configuration log records all configuration...

92 Chapter 4 Emergency recovery NN46110-602 02.01 Accessing the diskette drive If the VPN Router has a front cover, you must remove it to gain access to the diskette drive. For more information about how to remove the front cover, see the installation guide. Starting the VPN Router with the recovery...

Chapter 4 Emergency recovery 93 Nortel VPN Router Troubleshooting — Server Starting from a recovery diskette Start the router from a recovery diskette to restore the software image and file system to the hard drive of the VPN Router. 1 Remove the front cover. 2 Insert the recovery diskette into the ...

94 Chapter 4 Emergency recovery NN46110-602 02.01 Restoring factory defaults or a backup configuration Restore the factory default configuration if you lose the administrator password. 1 Start with the recovery diskette. 2 To restore the factory default configuration or the backup configuration, sel...

Chapter 4 Emergency recovery 95 Nortel VPN Router Troubleshooting — Server You can use the serial number to differentiate backup configurations from multiple VPN Routers that save on the same backup server. The serial number uniquely identifies the backup data of each router. If you did not configur...

Chapter 4 Emergency recovery 97 Nortel VPN Router Troubleshooting — Server Navigating the file system from the recovery diskette Use the File System Maintenance screen to navigate through the switch file system. The top level lists the devices (drives) and lists the directories beneath a drive. Use ...

98 Chapter 4 Emergency recovery NN46110-602 02.01 The unit is upgraded to the latest 8.0 build, configurations are preserved and the upgrade is successful. 3 You must again save the LDAP and config files on this new software version as you cannot restore the LDAP and config files from a previous ver...

99 Nortel VPN Router Troubleshooting — Server Chapter 5Troubleshooting This chapter introduces the concepts and practices of advanced network configuration and troubleshooting for the Nortel VPN Router. Use this chapter when you establish or modify the extranet, and when you diagnose network problem...

100 Chapter 5 Troubleshooting NN46110-602 02.01 Troubleshooting remote access problems typically starts at the client end when the remote user cannot establish a connection, loses a connection, cannot browse the network, or print. When connectivity problems occur and the source of the problem is unk...

Chapter 5 Troubleshooting 101 Nortel VPN Router Troubleshooting — Server Problems with name resolution using DNS services “I logged into my corporate network, but I get messages saying the host is unknown.” “I can ping the host using its IP address, but not using its host name.” Network browsing pro...

102 Chapter 5 Troubleshooting NN46110-602 02.01 Serial PPP problems You use Serial Point-to-Point Protocol (PPP) to manage the VPN Router from a remote location using PPP and the serial interface. If the VPN Router becomes unreachable over the Internet, you can still dial up and manage it through th...

Chapter 5 Troubleshooting 103 Nortel VPN Router Troubleshooting — Server To manage the VPN Router, disconnect the dial-up connection and try to reestablish it. This gives the modem a chance to renegotiate the baud rate with the VPN Router. Cause: You configure the port to use PPP but you want to use...

104 Chapter 5 Troubleshooting NN46110-602 02.01 SFTP connection problems If you cannot connect to the VPN Router using the SFTP, ensure that SSH works properly. In Global Configuration mode, view the SSH from CLI using the show ssh-server state command or from the GUI by choosing Servers, SSH. Resta...

Chapter 5 Troubleshooting 105 Nortel VPN Router Troubleshooting — Server Action: Open a command prompt and ping the host with a fully qualified host name (for example, www.nortel.com). If you receive a response, verify that the IP address returned on the first line (for example, www.nortel.com [207....

106 Chapter 5 Troubleshooting NN46110-602 02.01 Cannot access network shares after establishing an extranet access connection Cause: A Windows Internet Name Service (WINS) server is not configured for PPTP or IPsec connections on the VPN Router. Action: Verify that the Nortel VPN Client uses a WINS ...

Chapter 5 Troubleshooting 107 Nortel VPN Router Troubleshooting — Server Diagnosing WAN link problems WAN link problems can occur between the VPN Router and the public data network (PDN) at three levels: 1 T1/V.35 interface 2 HDLC framing 3 PPP layer If a connectivity problem occurs with the WAN lin...

108 Chapter 5 Troubleshooting NN46110-602 02.01 CSU/DSU is configured to use internal clocking, and that NRZ is encoded with CCITT CRC for the checksum. 3 Make sure that all the control signals assert (CTS, DCD, DSR, RTS, and DTR). You can check these signals on the VPN Router from the Manager WAN S...

Chapter 5 Troubleshooting 109 Nortel VPN Router Troubleshooting — Server 1 Check whether the state of the PPP connection changes by periodically clicking Refresh while you view the WAN statistics window. If the state is always Down, PPP does not know that the link is up. If the state toggles between...

110 Chapter 5 Troubleshooting NN46110-602 02.01 • Adjust the modem speed—If the speed of the modem is too high, it can cause hardware overruns. Reset the modem speed to match the real speed of the modem. • Disable hardware compression—The data passed through the extranet connection is encrypted, and...

Chapter 5 Troubleshooting 111 Nortel VPN Router Troubleshooting — Server What do I need to configure on the PPTP or IPsec client? The client needs the protocols for NetBIOS and TCP/IP configured. NetBEUI is not normally configured. Configure a Windows 2000 or Windows XP or Vista client so that it ex...

112 Chapter 5 Troubleshooting NN46110-602 02.01 What WINS settings does Nortel recommend? Use the Start menu , Programs , Administrator Tools to configure the WINS settings on the WINS server. The values for a WINS server are • Server Configuration • Renewal Interval: 41 minutes • Extinction Interva...

Chapter 5 Troubleshooting 113 Nortel VPN Router Troubleshooting — Server What can I try on the WINS server if it does not work? You can request a cleanup of the WINS server database by choosing Mappings, Initiate Scavenging. If the database becomes very large, you can compact it by using the jetpack...

114 Chapter 5 Troubleshooting NN46110-602 02.01 The registry parameter IsDomainMasterBrowser impacts which servers become master browsers and backup browsers. The registry path for this parameter is \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browse r\ Parameters. Setting the IsDomainMaste...

Chapter 5 Troubleshooting 115 Nortel VPN Router Troubleshooting — Server If all hosts that the client tries to reach lie on the same physical segment, the contact fails. This failure is because every host on the physical network receives all the subnets broadcast and probably responds, if appropriat...

116 Chapter 5 Troubleshooting NN46110-602 02.01 The outcome is somewhat different for IPsec and PPTP. For IPsec, the client recognizes this incorrect behavior and refuses to even send the packets. You can see a counter of the number of invalid packets of this type on the client under the status Inva...

Chapter 5 Troubleshooting 117 Nortel VPN Router Troubleshooting — Server Where can I get more information about configuring PPTP on my client? Many articles exist in the Microsoft Knowledge Base about how to configure PPTP for Windows NT, Windows 2000, and Windows XP. For more information, see “Addi...

118 Chapter 5 Troubleshooting NN46110-602 02.01 For Windows 2000 or XP, and Windows NT, after a host name translates to an IP address (for example, to browse the Web or use e-mail), the host queries all DNS servers. The first server to respond with an IP address provides the information to the host....

Chapter 5 Troubleshooting 119 Nortel VPN Router Troubleshooting — Server Action: You can wait for the socket to time out, but it is often more expedient to reboot. On Windows NT a similar problem occurs, but the cause is a TCP checksum error generated by the Microsoft IP stack. The only current reso...

120 Chapter 5 Troubleshooting NN46110-602 02.01 • “Reporting a problem with a Web browser” on page 124 • “System problems” on page 124 • “Solving routing problems” on page 126 • “Solving firewall problems” on page 129 • “Diagnosing LDAP problems” on page 132 Web browser problems and the Nortel VPN C...

Chapter 5 Troubleshooting 121 Nortel VPN Router Troubleshooting — Server • Run ActiveX scripts—If you disable this option, navigational titles do not update, and the Logoff and Help buttons do not work. • Enable Java programs—If you disable this option, navigational menus do not appear. Verify that ...

122 Chapter 5 Troubleshooting NN46110-602 02.01 can clear the browser cache, which causes the browser to request all windows the next time you try to access them. To manually clear the browser cache in Internet Explorer V4.x, select Tools , Internet Options , and then click Delete Files . To manuall...

Chapter 5 Troubleshooting 123 Nortel VPN Router Troubleshooting — Server New administrator logon ignored Cause: Internet Explorer saves the user ID and password in its cache and automatically resends those values on subsequent logon attempts. Therefore, after an idle timeout, the browser ignores the...

124 Chapter 5 Troubleshooting NN46110-602 02.01 Action: To avoid this situation, increase the color display setting to 256 or greater. Check with the video card manufacturer documentation to confirm that the video card supports 256 colors or greater. Reporting a problem with a Web browser When you r...

Chapter 5 Troubleshooting 125 Nortel VPN Router Troubleshooting — Server Cannot convert from an internal address pool to an external DHCP server Cause: You cannot convert IP address distribution from an internal address pool to an external DHCP server while sessions are active. Action: Select Admin,...

126 Chapter 5 Troubleshooting NN46110-602 02.01 Solving routing problems The following sections describe routing problems. The number of current Utunnel host users can display more than the configured maximum. Cause: This message is not an error and indicates the running state of the system. For exa...

Chapter 5 Troubleshooting 127 Nortel VPN Router Troubleshooting — Server The routing table cannot be altered after the Extranet Connection has been established.... The Extranet Connection has been Closed Cause: This error message appears on the client machine after the routing table changes on the c...

128 Chapter 5 Troubleshooting NN46110-602 02.01 If you cannot determine the cause for the routing update, consider using mandatory tunneling for the users with problems; avoid using split tunneling for these users. If none of these methods solve the problem, contact Global Nortel Technical Support (...

Chapter 5 Troubleshooting 129 Nortel VPN Router Troubleshooting — Server Action: The VPN Router posts the alert No downstream interface is up to the Status, Health Check window. IGMP needs exactly one downstream interface with IGMP enabled. Try to bring the downstream interface back online. If no do...

130 Chapter 5 Troubleshooting NN46110-602 02.01 3 Check that the connection to the VPN Router established. 4 Restart the browser and browse to the Services, Firewall/NAT window. 5 Reload the Stateful Firewall Manager . Authorization failed. Please try again. Cause: This error occurs after you provid...

Chapter 5 Troubleshooting 131 Nortel VPN Router Troubleshooting — Server • The port or IP address of the external LDAP server changes. Action: To ensure that the most current data is loaded, perform the following activities: 1 Close the current policy, if opened. You cannot save until you fix this e...

132 Chapter 5 Troubleshooting NN46110-602 02.01 7 Restart the browser and browse to the Services , Firewall/NAT window. 8 Reload the Stateful Firewall Manager . Diagnosing LDAP problems Use the event log and traffic captures to troubleshoot problems that can arise when you configure the VPN Router t...

136 Troubleshooting system messages NN46110-602 02.01 Certificate messages Error removing CA certificate file: xxx Description: Nortel manufactures VPN Router with a trusted certificate authority (CA) certificate for use by Secure Sockets Layer (SSL). The first time that you start the router, it rem...

Troubleshooting system messages 137 Nortel VPN Router Troubleshooting — Server tCert: X.509 certificates disabled in flash memory Description: This message is an informational message that indicates the use of X.509 certificates by the VPN Router is disabled. Action: No action required. Warning: Sys...

142 Troubleshooting system messages NN46110-602 02.01 Diffie-Hellman group mismatch for a.b.c.d—terminating connection attempt Description: This message indicates a mismatch in the Diffie-Hellman configuration. Action: Configure the Diffie-Hellman group profiles (Profiles, Branch Office, Group Confi...

Troubleshooting system messages 143 Nortel VPN Router Troubleshooting — Server Unable to send ESPUDP data, destination UDP port unknown— packet dropped Description: The destination User Datagram Protocol (UDP) port is 0; therefore the router drops the Encapsulating Security Payload (ESP) packet. Act...

144 Troubleshooting system messages NN46110-602 02.01 Action: No action is required. Secondary authentication failed for session %s[%.*s]:%d Description: The secondary authentication for the branch office tunnel fails. The user name and password you configure locally or externally for two factor aut...

Troubleshooting system messages 145 Nortel VPN Router Troubleshooting — Server NAT NOT detected. Local address a.b.c.d:x, remote address a.b.c.d:x Description: The router does not detect NAT between the peers. Action: No action is required. NAT detected. Local address a.b.c.d:x, remote address a.b.c...

146 Troubleshooting system messages NN46110-602 02.01 Action: Verify the user name and password. SSL messages Checking chain: invalid parent cert, xxx Description: The certificate in the chain is not valid. This message indicates that the certificate installed at the external LDAP server expired or ...

Troubleshooting system messages 147 Nortel VPN Router Troubleshooting — Server No matching trusted CA certs Description: None of the certificates in the chain are trusted CA certificates. This message appears if you did not install the CA certificate or if it is not marked as trusted on the VPN Rout...

148 Troubleshooting system messages NN46110-602 02.01 LDIF file: xxx could not back up Description: The internal LDAP server database cannot back up to the specified LDIF file. This error can occur if the name of the LDIF file is not in 8.3 format. Action: Make sure the backup file uses an 8.3 file ...

152 Troubleshooting system messages NN46110-602 02.01 SchemaCls: Database schema not available Description: The external LDAP server does not support a schema entry so it is not possible to update the schema over the network. This error occurs if the external LDAP server does not support the cn=sche...

Troubleshooting system messages 153 Nortel VPN Router Troubleshooting — Server Action: Wait to make sure that the VPN Router initializes, and then try again. Session: xxx[xxx] session rejected—system is shutting down Description: The VPN Router rejected an incoming request because it is shutting dow...

154 Troubleshooting system messages NN46110-602 02.01 • The call admission priority slot is full. • The call admission priority slot is outside of access hours. • The maximum links configured for the group is reached. Action: Verify the correct settings for each of the possible causes. Session: xxx[...

156 Troubleshooting system messages NN46110-602 02.01 Session: xxx[xxx] : xxx connect Qos level xxx full Description: No more slots are available for the call admission priority of the session. This indicates that the configured Call Admission Priority for the group to which the request is assigned ...

Troubleshooting system messages 159 Nortel VPN Router Troubleshooting — Server tEvtLgMgr 0 : Security [12] Session 15fc2c68: IPSEC[u440875]:90024 sib 0 logged out Description: This message shows that the session is removed from the account collection. For example, every branch office uses a session ...

160 Troubleshooting system messages NN46110-602 02.01 RADIUS: < server-name > server timed out Description: This message indicates a connection failure. The connection timed out while waiting for a response. Action: Verify the following information: • RADIUS server IP address and port number •...

Troubleshooting system messages 161 Nortel VPN Router Troubleshooting — Server RADIUS: failure sending < user-name > accounting record to < server-name > Description: This message indicates that the router receives an invalid response. The length of the response packet is not equal to th...

162 Troubleshooting system messages NN46110-602 02.01 RADIUS: < user-name > accounting record sent to < server-name > OK Description: This message indicates that the router receives a valid response. Action: No action necessary. RADIUS authentication messages RADIUS: Cannot send request ...

Troubleshooting system messages 163 Nortel VPN Router Troubleshooting — Server RADIUS: no reply from RADIUS server < server-name >(< port number >) Description: This message indicates a connection failure. The connection timed out while waiting for a response. Action: Verify the followin...

166 Troubleshooting system messages NN46110-602 02.01 RADIUS access challenge received Description: The Nortel VPN Client receives this message. The client receives a valid access-challenge response. Action: No action required. RADIUS server rejected access Description: This message indicates that t...

Troubleshooting system messages 167 Nortel VPN Router Troubleshooting — Server Routing messages Unable to create xxx for OSPF Description: The VPN Router cannot create the necessary components to initialize OSPF. This happens if the VPN Router runs out of free memory. Action: Choose Routing, OSPF. D...

168 Troubleshooting system messages NN46110-602 02.01 OSPF Enabled Description: The administrator enabled OSPF from the Routing , OSPF window. Action: No action required. Ospf_Global.State changed from DISABLED to Enabled by user 'admin' @ a.b.c.d Description: The administrator disabled OSPF from th...

Troubleshooting system messages 173 Nortel VPN Router Troubleshooting — Server IP Redirector [11] FEM DynRoutingAddrReg: ip a.b.c.d mask x.x.x.x deleting old rt 0x35d4ca84 flags 0x500003 pr 13 prio 4 Description: The routing table includes a route, for example route a.b.c.d , obtained through route ...

174 Troubleshooting system messages NN46110-602 02.01 RSVP [06] AddRsvpSource for dst 0xa78327c2, srcport 0 rate 3500 bkt 3000 Description: This message is an informational message. The address is modified to appear in IP form. Action: No action is required. PPP messages Ppp0x04ade338 [06] SimpleDeF...

Troubleshooting system messages 175 Nortel VPN Router Troubleshooting — Server 582256 10/07/2007 19:37:17 (Ppp0x04d45) INFO IO WANPPP Code 44 packetLogArea Note: The above event repeated xx time(s) Description: This message is an informational message that indicates that a PPP control packet was tra...

176 Troubleshooting system messages NN46110-602 02.01 Action: No action required. HWAccel [ nnn ] not present, deleting from config Description: This indicates the configuration file contains a HWAccel [nnn] entry, but no hardware accelerator exists in the slot. The HWAccel [nnn] entry is deleted fr...

Troubleshooting system messages 177 Nortel VPN Router Troubleshooting — Server Action: Physically verify that the number of accelerators in the system matches the number in this message. If the numbers do not match, contact GNTS. Hw Accel unit [03] ppDatap = 0 0x934ec2 npbufStart =0x934d60, getRsltE...

178 Troubleshooting system messages NN46110-602 02.01 Action: Select a server certificate for HTTPS authentication from Services, SSL TLS. DNS messages DNS_PROXY [14] Listener: new datagram Description: This message indicates a DNS Proxy datagram was destined for a private interface address. Prior t...

179 Nortel VPN Router Troubleshooting — Server Appendix AMIB support The VPN Router supports the management information base (MIB) for use with network management protocols in TCP/IP (Transmission Control Protocol over IP)-based Internets and TCP/IPX-based networks. The VPN Router supports SNMP (Sim...

180 Appendix A MIB support NN46110-602 02.01 RFC 1213—Network Management of TCP/IP-Based Internets MIB The VPN Router supports RFC 1213, Management Information Base for Network Management of TCP/IP-based Internets: MIB II . This RFC provides the architecture and system for managing TCP/IP-based inte...

Appendix A MIB support 181 Nortel VPN Router Troubleshooting — Server RFC 1850—OSPF Version 2 Management Information Base The VPN Router supports RFC 1850, OSPF Version 2 Management Information Base . As stated in the introduction to the RFC, the RFC “defines a portion of the Management Information ...

182 Appendix A MIB support NN46110-602 02.01 RFC 2737—Entity MIB This MIB contains five tables two of which are partially implemented. *entPhysicalTable entLogicalTable entLPMappingTable *entAliasMappingTable entPhysicalContainsTable The entPhysicalTable provides a list of the hardware elements that...

Appendix A MIB support 183 Nortel VPN Router Troubleshooting — Server RFC2790—Host Resources MIB The Host Resources MIB defines a uniform set of objects for the managing host computers. Host computers are independent of the operating system, network services, or software application. The Host Resour...

184 Appendix A MIB support NN46110-602 02.01 hrSWRunPerf • hrSWRunTable — hrSWRunIndex — hrSWRunName — hrSWRunType — hrSWRunStatus — hrSWRunPriority • hrSWRunPerfTable — hrSWRunPerfCPU RFC 2863—Interface MIB (64 bit counters support) The interface table adds support for the following entries: ifHCIn...

Appendix A MIB support 185 Nortel VPN Router Troubleshooting — Server sends five pings. One ping is sent by itself so that if the device you ping is the other end of a branch office tunnel, it ensures that the tunnel is brought up before trying to send pings through the tunnel. This ping is not coun...

186 Appendix A MIB support NN46110-602 02.01 cestraps.mib—Nortel proprietary MIB This section lists the contents of the cestraps.mib, the Nortel MIB for the VPN Router. -- Trap #5005 --------------------------------- -- Each Trap contains the Trap OID as well as the following OIDs: -- SeverityLevel ...

188 Appendix A MIB support NN46110-602 02.01 newoak.mib This section provides the contents of the newoak.mib, which defines the newoak enterprise ID, the contivity object identifier, and the sysObjectIDs for each VPN Router model. -- This MIB module uses the extended OBJECT-TYPE macro as -- defined ...

190 Appendix A MIB support NN46110-602 02.01 Hardware-related traps hardwareTrapInfo OBJECT IDENTIFIER ::= {ContivitySnmpTraps 1} -- Trap #1001 hardDisk1Status OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Hard Disk Number 1 Status." ::= {hardwareTrapInfo 1}...

196 Appendix A MIB support NN46110-602 02.01 SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of Certificates Validity." ::= {serverCESTrapInfo 11} Software-related traps softwareTrapInfo OBJECT IDENTIFIER ::= {ContivitySnmpTraps 3} -- Trap #5001 NetBuffers OBJECT-T...

Appendix A MIB support 197 Nortel VPN Router Troubleshooting — Server Intrusion-related traps intrusionTrapInfo OBJECT IDENTIFIER ::= {ContivitySnmpTraps 5} -- Trap #201 securityIntrusion OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Login Security Intrusion....

198 Appendix A MIB support NN46110-602 02.01 Information passed with every trap SeverityLevel OBJECT-TYPE SYNTAX INTEGER { fatal(1), major(2), minor(3), informational(4), insignificant(5), reversal(6) } ACCESS read-only STATUS mandatory DESCRIPTION "Severity of specific trap." ::= {Contivity...

Appendix A MIB support 199 Nortel VPN Router Troubleshooting — Server Table 15 “Trap categories” on page 199 provides trap categories. Table 15 Trap categories Hardware 1.3.6.1.4.1.2505.1.1.0.1001 hardDisk1StatusTrap 1.3.6.1.4.1.2505.1.1.0.1002 hardDisk0StatusTrap 1.3.6.1.4.1.2505.1.1.0.1003 memoryU...

Nortel VPN Router Troubleshooting — Server 221 Index A accounting data 86records 84, 85 accounting log 84 active sessions 124 ActiveX Scripts 120 B background images 123 branch office error messages 143 browser error messages 122 browsing delays 121 C certificate error messages 136 cestraps.mib 186 ...