1. Manuals
  2. Brands
  3. Nortel Manuals
  4. Gateway
  5. 3050
  6. Troubleshooting manual

Nortel 3050 Troubleshooting Manual

Vpn gateway
Hide thumbs Also See for 3050:
Table of Contents

Advertisement

Quick Links

Download this manual
Nortel VPN Gateway

Troubleshooting Guide

Release: 7.0
Document Revision: 01.01
www.nortel.com
NN46120-700
324371-A
.

Advertisement

Table of Contents

Troubleshooting

loading

Related Manuals for Nortel 3050

Summary of Contents for Nortel 3050

  • Page 1: Troubleshooting Guide

    Nortel VPN Gateway Troubleshooting Guide Release: 7.0 Document Revision: 01.01 www.nortel.com NN46120-700 324371-A...
  • Page 2 Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Export This product, software and related technology is subject to U.S.

  • Page 3: Table Of Contents

    Resetting default configuration 18 Troubleshooting Net Direct 18 Troubleshooting TunnelGuard 19 Recovering using boot.img 20 Upgrading code using .pkg 21 Troubleshooting authentication tasks Navigation 25 Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007...
  • Page 4 Gathering critical information 55 Getting help from the Nortel Web site 56 Getting help over the phone from a Nortel Solutions Center 56 Getting help from a specialist by using an Express Routing Code 57 Getting help through a Nortel distributor or reseller 57 Glossary Copyright ©...

  • Page 5: New In This Release

    New in this release Nortel VPN Gateway Troubleshooting Guide (Part number 324371-A, NN46120-700) is a new document for Nortel VPN Gateway Release 7.0. Some of the contents in this document originally appeared in the following sources: • Application Guide for SSL Acceleration (Part number 216370-D, NN46120-100) •...
  • Page 6 6 New in this release Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Copyright © 2007 Nortel Networks...

  • Page 7: Introduction

    Each tool is described by purpose, usage procedures, and how to interpret the output. Prerequisites Nortel recommends you to use one or more of the following commercially available troubleshooting tools as well as the tools described in this document. •...

  • Page 8: Acronyms

    8 Introduction • “Reference to third party Application Guides” (page 53) • “Contact Nortel technical support” (page 55) • “Glossary” (page 59) Acronyms Table 1 "Acronyms" (page 8) Table 1 Acronyms BootP LDAP NTLM Copyright © 2007 Nortel Networks lists the acronyms used in this guide.

  • Page 9: Troubleshooting Fundamentals

    “Dumping the log files to another server” (page 13) how to view the ssl.log files. Table 2 "Interpreting SSL acceleration log files" (page 10) information about log files messages and their descriptions. Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 10: Log Files

    Enabling proxydebug will use more CPU resource. Make sure to disable it after you finish debugging. Transmit the event log from the Nortel VPN Gateway to a file on a TFTP, FTP, or SFTP server. Specify the IP address or host name of the server as well as the file name.

  • Page 11: Traffic Generators

    <receiving host IP>(<port number>) <connection number> <start timestamp> (<previous record timestamp>) S>C <record type> FIN Copyright © 2007 Nortel Networks Description This log provides information on the CLI engine and is used by engineering to debug issues while in development.

  • Page 12: Nvg Hardware

    Hard-disk drive activity LED System power LED ATTENTION Call Nortel for RMA if Amber System status LED can not be cleared. Virtual IP addresses In instances where virtual IP addresses are used without an external load balancer, ensure that the effected services are set to standalone mode.

  • Page 13: Global Troubleshooting Tasks

    If using FTP, enter the user name and password. Use a newer version of WinZip to unpack the file on the targeted server. Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007...

  • Page 14: Displaying The Audit Trials

    From the command line, enter this command to view the SSL traffic dump. /cfg/vpn # /server/trace/ssldump Viewing TCP traffic generators This section explains the step to view SSL traffic generators. Procedure steps Copyright © 2007 Nortel Networks --End-- --End-- Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...
  • Page 15 Action From the command line, enter this command to view the TCP traffic dump. /cfg/vpn # /server/trace/tcpdump. Copyright © 2007 Nortel Networks Viewing TCP traffic generators 15 Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007...
  • Page 16 16 Global troubleshooting tasks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Copyright © 2007 Nortel Networks...

  • Page 17: Feature-Specific Troubleshooting Tasks

    NVG 7.0 supports strong CIPHER by default. Some of the old legacy products can interact with weak cipher, (ex) NAS 2424. Change the CIPHER string to ALL@STRONG if problem occurred after 7.0 upgrade. Copyright © 2007 Nortel Networks --End-- Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 18: Ssl Acceleration Troubleshooting Tools

    /stats/sslstats/server # is the host number associated with the current SSL acceleration service. Resetting default configuration To remove all configuration settings from the Nortel VPN Gateway, use the /boot/delete command. This command resets the system to the default settings. Procedure steps Action From the command line, enter this command.

  • Page 19: Troubleshooting Tunnelguard

    Add agent.lcf in the path <TG-Install-Dir>\resources directory. Reboot the system. Collect TunnelGuard logs from <TG-Install-Dir>log directory. ATTENTION The default path to access TG-Install-Dir is C:\Program Files\Nortel Networks\TunnelGuard\. Attach these logs to the CR. For all users, attach Profiles.ini from %ALLUSERSPROFILE%\A pplication Data\Nortel\TunnelGuard directory.

  • Page 20: Recovering Using Boot.img

    Recovering using boot.img When you log in as the boot user and perform a reinstallation of the software, the VPN Gateway is reset to its factory default configuration. All configuration data and current software is wiped out, including old software image versions or upgrade packages that may be stored in the flash memory card or on the hard disk.

  • Page 21: Upgrading Code Using .Pkg

    Upgrading code using .pkg The Nortel VPN Gateway (NVG) software image is the executable code running on the VPN Gateway. A version of the image ships with the VPN Gateway, and comes pre-installed on the device. As new versions of the image are released, you can upgrade the software running on your VPN Gateway.
  • Page 22 DNS parameters must have been configured. • The name of the software upgrade package (upgrade packages are identified by the .pkg file name extension). When you have gained access to the VPN Gateway, use the following procedure. Procedure steps Step Action To download the software upgrade package, enter the following command at the Main menu prompt.
  • Page 23 If you are using anonymous mode when downloading the software package from an FTP server, the following string is used as the password (for logging purposes): admin@hostname/IP.isd. Copyright © 2007 Nortel Networks --End-- Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Upgrading code using .pkg 23...
  • Page 24 24 Feature-specific troubleshooting tasks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Copyright © 2007 Nortel Networks...

  • Page 25: Troubleshooting Authentication Tasks

    The IAS checks the Active Directory to validate a username/password when a RADIUS authentication request arrives from the SSL VPN gateway. Further, it returns an attribute in the RADIUS authentication response that will map the user to the correct group/groups in the SSL VPN configuration.

  • Page 26: Troubleshooting Guide

    /cfg/vpn 1/aaa/authorder 2,1 Variable authorder name secret Copyright © 2007 Nortel Networks --End-- Use the data in the following table to help you enable configure the parameters in this command. Definition Specifies the auth order of the SSL VP N gateway to authenticate a user.

  • Page 27: Troubleshooting Guide

    In the tree view, right click on Clients and select New Client. Add client dialog box appears. Enter the RADIUS client friendly name. Click Next to continue. Add RADIUS client dialog box appears. Copyright © 2007 Nortel Networks Troubleshooting RADIUS authentication 27 Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 28: Troubleshooting Guide

    Configuring new Remote Access Policy This section shows the example for a basic set up with only one group available in the SSL VPN gateway. The Remote Access Policy will set the criteria for how the RADIUS authentication request will be processed and it will also perform the user to group/groups mapping.

  • Page 29: Troubleshooting Guide

    IP address the RADIUS authentication requests arrives, and so on. Click Next to continue. Select Deny remote access permission. Copyright © 2007 Nortel Networks Troubleshooting RADIUS authentication 29 Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 30: Troubleshooting Guide

    30 Troubleshooting authentication tasks Click Next to continue. Click Edit Profile. Edit Dial-in Profile form appears. Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007...

  • Page 31: Troubleshooting Guide

    Click Remove twice to default values that are not needed. Click Add and select the Vendor-Specific attribute. Multivalued Attribute Information form appears. Click Add to continue. Vendor-Specific Attribute Information form is displayed. Copyright © 2007 Nortel Networks Troubleshooting RADIUS authentication 31 Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 32: Troubleshooting Guide

    Click Configure Attribute to continue. Configure VSA RFA Compliant form is displayed. Set the Vendor-assigned attribute number to 1. Specify the name of the SSL VPN gateway group in the Attribute value. Click OK twice to return to the main Vendor-Specific attribute screen.

  • Page 33: Troubleshooting Guide

    Up-arrow in the menu to move it up in the list. Adding new users and changing existing users This section explains how to add a new user or change an existing user. Copyright © 2007 Nortel Networks Troubleshooting RADIUS authentication 33 --End--...

  • Page 34: Troubleshooting Guide

    Registering the IAS in the Active Directory This section explains the step to register the IAS in the Active Directory to allow the integration to happen. Procedure steps Copyright © 2007 Nortel Networks --End-- Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 35: Troubleshooting Guide

    This section explains the steps to add a new RADIUS client that uses the IAS. Procedure steps Step Action In the tree view of Internet Service Authentication screen, select the client. Copyright © 2007 Nortel Networks Troubleshooting RADIUS authentication 35 Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007...

  • Page 36: Troubleshooting Guide

    Specify the name of the RADIUS client with a friendly name. Specify the IP address or host name for the RADIUS client. Click Next to continue. Add and confirm the shared secret. Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 37: Troubleshooting Ldap Authentication With Active Directory

    Troubleshooting LDAP authentication with Active Directory navigation • “Troubleshooting LDAP authentication issues” (page 37) • “Adding a SSL VPN gateway user into the Active Directory” (page 38) • “Configuring the LDAP Attributes” (page 40) Troubleshooting LDAP authentication issues This section explains the steps to set isdbindn and isdbin password, if they are not correctly set.

  • Page 38: Adding A Ssl Vpn Gateway User Into The Active Directory

    ATTENTION Use ldap browser to verify search base and ov/~gawor/ldap/ Adding a SSL VPN gateway user into the Active Directory This section explains the steps to add a SSL VPN gateway user into AD. Procedure steps Step Action In the Active Directory Users and Computers screen, select the branch from the tree view.

  • Page 39: Troubleshooting Guide

    For example, secret. You can also add some additional password restriction. Click Next to continue. Click Finish to complete adding a user. Copyright © 2007 Nortel Networks Troubleshooting LDAP authentication with Active Directory 39 --End-- Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 40: Configuring The Ldap Attributes

    In the User name Properties screen, click General tab. Click Other adjacent to the field Telephone number. Phone Number (Others) form is displayed. Enter the name of the SSL VPN gateway groups the user belongs to and click Add. Copyright © 2007 Nortel Networks...

  • Page 41: Configuring Ldaps Authentication With Active Directory

    SSL VPN configuration. With the directory tree looking the way it does above the searchbase would be “OU=Users,DC=Nortel” the userattr would be “UID” and finally the groupattr would be “GID”. Procedure steps...

  • Page 42: Troubleshooting Guide

    Add certificate store snap-in for Local Computer. In the Console wizard, under file menu, select Add/Remove Snap-in. Add/Remove Snap-in form appears. Click Add. Add Standalone Snap-in form appears. Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007...

  • Page 43: Troubleshooting Guide

    Select Computer Account. Click Next to continue. Select the option Local computer: the computer this console is running on. Click Finish. Copyright © 2007 Nortel Networks Configuring LDAPs authentication with Active Directory 43 Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 44: Importing Certificates

    To import the certificate, select Import in All Tasks under Action menu. Certificate Import Wizard appears. Click Next. Browse for the file name and click Next. Copyright © 2007 Nortel Networks --End-- Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 45: Troubleshooting Guide

    Import same certificate under Local Computer -> Trusted Root Certification Authorities. Verify the Event Viewer shows the LDAP over SSL has started. Verify LDAPS auth works correctly. Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 46: Troubleshooting Ntlm Authentication With Primary Domain Controller Navigation

    Creating the Windows group and add a user into that group To allow the SSL VPN gateway to map a Windows user to the test group in the SSL VPN group you need to create a global Windows group with the same name.

  • Page 47: Adding Users To The New Group

    Click OK to finish the group selection. The user is now part of the correct group that will allow the SSL VPN gateway to map the user into the test group. Click OK to save the user properties. Copyright © 2007 Nortel Networks...

  • Page 48: Troubleshooting Guide

    48 Troubleshooting authentication tasks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Copyright © 2007 Nortel Networks...

  • Page 49: Emergency Recovery Trees

    Cannot access NVG for management -- recovery tree This section details the flow diagram for the recovery tree -- cannot access NVG for management. Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 50: Cannot Access Vpn -- Recovery Tree

    50 Emergency Recovery Trees Cannot access VPN -- recovery tree This section details the flow diagram for the recovery tree -- cannot access VPN. Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007...

  • Page 51: Troubleshooting Guide

    Cannot access VPN -- recovery tree 51 Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Copyright © 2007 Nortel Networks...

  • Page 52: Troubleshooting Guide

    52 Emergency Recovery Trees Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Copyright © 2007 Nortel Networks...

  • Page 53: Reference To Third Party Application Guides

    Using Netegrity SiteMinder with Nortel Networks SSL VPN • Technical Configuration Guide Using Citrix with the Alteon SSL VPN • SSL VPN and SafeWord for Nortel Technical Config Guide Copyright © 2007 Nortel Networks Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard...

  • Page 54: Troubleshooting Guide

    54 Reference to third party Application Guides Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Copyright © 2007 Nortel Networks...

  • Page 55: Contact Nortel Technical Support

    Nortel Technical Support. You must attempt to resolve your problem using this troubleshooting guide. Contacting Nortel is a final step taken only when you have been unable to resolve the issue using the information and steps provided in this troubleshooting guide.

  • Page 56: Getting Help From The Nortel Web Site

    A detailed network topology diagram • Log files Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: http://www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.

  • Page 57: Getting Help From A Specialist By Using An Express Routing Code

    To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: http://www.nortel.com/help/contact/erc/...

  • Page 58: Troubleshooting Guide

    58 Contact Nortel technical support Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Copyright © 2007 Nortel Networks...

  • Page 59: Glossary

    Glossary Access Rules Base Profile Copyright © 2007 Nortel Networks When a user tries to log in to the VPN, either through the Portal page or through a VPN client, his or her group membership determines the access rights to different servers and applications on the intranet.

  • Page 60: Troubleshooting Guide

    CLI (Command Line Interface) Cluster (of NVGs) Console Connection CRL (Certificate Revocation List) CSR (Certificate Signing Request) Copyright © 2007 Nortel Networks Secure IPsec tunnel between two VPN Gateways (or cluster of VPN Gateways) or similar devices. The tunnel is automatically established...

  • Page 61: Troubleshooting Guide

    Digital Signature DIP (Destination IP) Address DPort (Destination Port) Copyright © 2007 Nortel Networks Getting help through a Nortel distributor or reseller 61 A device that communicates with a Data Terminal Equipment (DTE) in RS-232C communications. A process for unambiguously converting an object specified in ASN.1 (such as an X.509 certificate,...

  • Page 62: Troubleshooting Guide

    HTTP Proxy Master MIB (Management Information Base) MIP (Management IP) Copyright © 2007 Nortel Networks A device that controls data flowing to or from a computer. The term is most often used in reference to serial communications defined by the RS-232C standard. This...

  • Page 63: Troubleshooting Guide

    Ping (Packet INternet Groper) PKCS #12 Copyright © 2007 Nortel Networks Getting help through a Nortel distributor or reseller 63 The Net Direct client is an SSL VPN client that can be downloaded from the Portal for each user session. As...

  • Page 64: Troubleshooting Guide

    PKI (public key infrastructure) Portal Portal Guard Port Forwarder Secure Service Partitioning Copyright © 2007 Nortel Networks Short for public key infrastructure, a system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.

  • Page 65: Troubleshooting Guide

    SNMP (Simple Network Management Protocol) SOCKS Copyright © 2007 Nortel Networks Getting help through a Nortel distributor or reseller 65 When turning on a VPN Gateway the very first time, the Setup utility starts up automatically. The Setup utility is used for performing a basic configuration of the VPN Gateway.

  • Page 66: Troubleshooting Guide

    SSL VPN client TLS (Transport Layer Security) Traceroute Trap TunnelGuard Copyright © 2007 Nortel Networks The source destination port, linking the incoming data to the correct service. For example, port 80 for HTTP, port 443 for HTTPS, port 995 for POP3S.

  • Page 67: Troubleshooting Guide

    VLAN (Virtual Local Area Network) X.509 X11 Forwarding Copyright © 2007 Nortel Networks Getting help through a Nortel distributor or reseller 67 The addressing technology from which URLs are created. Technically, URLs such as HTTP:// and FTP:// are specific subsets of URLs, although the term URL is mostly heard.

  • Page 68: Troubleshooting Guide

    68 Glossary Nortel VPN Gateway Troubleshooting Guide NN46120-700 01.01 Standard 12 October 2007 Copyright © 2007 Nortel Networks...

  • Page 70: Troubleshooting Guide

    Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Export This product, software and related technology is subject to U.S.

This manual is also suitable for:

3070

Table of Contents