HP 7102dl - ProCurve Secure Router Configuration Manual page 573
Procurve secure router 7000dl series - advanced management and configuration guide
Hide thumbs
Also See for 7102dl - ProCurve Secure Router:
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages) ,
- Advanced management and configuration manual (1005 pages)
Table of Contents
Advertisement
If the CLI shows an IKE SA for the connection, you know that it at least
completed IKE phase 1.
You can also scroll through the debug messages looking for signs of the IKE
phase that generated the problems. (See Table 10-25 above.) Look for mes-
sages that repeat several times—for example, "sending main mode message
1"; they indicate that the router cannot complete the step. Table 10-26 shows
other messages associated with problems in a particular IKE phase.
Table 10-26. Debug Messages
Messages Associated with IKE
Phase 1 Problems
IKEDeleteIsakmpSA
IANA for protocol: Isakmp
Once you have determined which IKE phase is causing your problem, you
should move to "Comparing VPN Policies" on page 10-80. This section will
help you determine which specific policy is causing IKE to fail.
Peer ID is Invalid. Continuously repeating "IKEStartNegotiation" mes-
sages indicate that the router is unable to even reach the peer to begin IKE
negotiations. This problem can have several sources:
The peer ID in crypto map entry is incorrect.
The peer ID in IKE policy is incorrect.
The IKE policy does not allow you to initiate IKE with this peer.
See Table 10-27 for debug messages associated these problems.
Table 10-27. IKEStartNegotiation Debug Messages
Attribute
Can not Initiate on a
Respond only policy
Could not find an IKE
policy to use
Already in process of
negotiation
IKERetryTimeOut:
Retrying 1st phase
Messages Associated with IKE
Phase 2 Problems
IKEFindIPSecSAbySPI
IANA for protocol: IPSec
Problem
The IKE policy for the peer is set
to no initiate.
The peer ID in the crypto map
entry does not match the peer
ID in any IKE policy.
The peer ID in the crypto map
entry and IKE policy are
incorrect.
Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
Best Next Step
Change the IKE initiate mode in
the policy to main or aggressive.
Check the peer ID in the crypto
map entry and IKE policy and
change the incorrect setting.
Verify that you have configured
the correct public IP address for
the peer.
10-79
- Quick Links:
- Procurve Secure Router
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
