3Com 3C13636 Configuration Manual page 1175

3Com Router 3000 Ethernet Family
Configuration Guide
Symptom 3: Unable to establish security channel
Troubleshooting: Check whether the network is stable and the security channel is
established correctly. Sometimes there is a security channel but there is no way to
communicate, and ACL of both parties are found correctly configured, and there is also
matched policy.
In this case, the problem is usually caused by the restart of one router after the security
channel is established. Solution:
Use the command display ike sa to check whether both parties have established
SA of Phase 1.
Use the command display ipsec sa policy to check whether the ipsec policy on
interface has established IPSec SA.
If the above two results display that one party has SA but the other does not, then
use the command reset ike sa to clear SA with error and re-originate negotiation.
3Com Corporation
8-22
Chapter 8 IKE Configuration