1. Manuals
  2. Brands
  3. Nortel Manuals
  4. Network Router
  5. NN46110-602
  6. Troubleshooting manual

Nortel NN46110-602 Troubleshooting Manual

Nortel vpn router troubleshooting
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Nortel VPN Router
Troubleshooting
Version 7.00
Part No. NN46110-602
315900-E Rev 01
February 2007
Document status: Standard
600 Technology Park Drive
Billerica, MA 01821-4130

Advertisement

Table of Contents
loading

Related Manuals for Nortel NN46110-602

Summary of Contents for Nortel NN46110-602

  • Page 1 Nortel VPN Router Troubleshooting Version 7.00 Part No. NN46110-602 315900-E Rev 01 February 2007 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130...

  • Page 2: Restricted Rights Legend

    In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
  • Page 3 30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies.
  • Page 4 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.

  • Page 5: Table Of Contents

    Contents Preface ............17 Before you begin .
  • Page 6 Backing up changes to specific files or directories ..... 58 Stopping the backup of changes to specific files or directories ... . 59 NN46110-602...
  • Page 7 Using SFTP to transfer backup files ....... . 59 Stopping the transfer of backup files using SFTP ..... . 59 Disabling new logins .
  • Page 8 Interface capture object using triggers ......122 Tunnel capture object using a remote IP address ..... 124 NN46110-602...
  • Page 9 Viewing a packet capture output file on a PC ......125 Installing Ethereal software ......... 125 Saving, downloading, and viewing PCAP files .
  • Page 10 Configuring IPX ........... . . 222 NN46110-602...
  • Page 11 IPX client ............223 Windows 95 and Windows 98 .
  • Page 12 12 Contents NN46110-602...
  • Page 13 Figures Figure 1 Admin > SNMP Traps window ....... . . 33 Figure 2 Event logs .
  • Page 14 14 Figures NN46110-602...
  • Page 15 Tables Table 1 Field IDs for data collection records ......40 Table 2 Troubleshooting tools .
  • Page 16 16 Tables NN46110-602...

  • Page 17: Preface

    Preface This guide provides information about how to manage and troubleshoot the Nortel VPN Router. Before you begin This guide is for network managers who monitor and maintain the Nortel VPN Router. This guide assumes that you have experience with system administration and familiarity with network management.
  • Page 18 Courier text separator ( > ) NN46110-602 Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.

  • Page 19: Acronyms

    vertical line ( Acronyms This guide uses the following acronyms: ADSL CHAP DHCP HTTP ICMP IPsec ISDN BRI Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is terminal paging {off | on} terminal paging off...
  • Page 20 L2TP LDAP OSPF PCAP PPTP RADIUS SNMP VRRP NN46110-602 Layer 2 Tunneling Protocol local area network Lightweight Directory Access Protocol Network Address Translation Open Systems Interconnection Open Shortest Path First Password Authentication Protocol packet capture public data network point of presence...

  • Page 21: Related Publications

    Related publications For more information about the Nortel VPN Router, see the following publications: • Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds. • Nortel VPN Router Configuration — Basic Features (NN46110-500) introduces the product and provides information about initial setup and configuration.

  • Page 22: Hard-Copy Technical Manuals

    To check for updates to the latest documentation and software for VPN Router, click one of the following links: Link to Latest software Latest documentation NN46110-602 www.adobe.com Takes you directly to the Nortel page for VPN Router software located at: www130.nortelnetworks.com/cgi-bin/eserv/cs/ main.jsp?cscat=SOFTWARE&resetFilter=1&poid...

  • Page 23: Getting Help From The Nortel Web Site

    Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. From this site, you can: •...

  • Page 24: Getting Help Through A Nortel Distributor Or Reseller

    Preface Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller. NN46110-602...

  • Page 25: New In This Release

    New in this release The following section details what is new in Nortel VPN Router Troubleshooting for Release 7.0. Features See the following sections for information about feature changes: • SNMP traps when an IP address pool reaches the configured threshold •...

  • Page 26: Automatic Backups

    With the enhancement, each branch office is assigned a static IfIndex, the IfIndex is saved in LDAP, and tunnels are reported even when they are down. For more information about the IfIndex enhancement, see Management of TCP/IP-Based Internets MIB” on page NN46110-602 113. “Automatic backups” on “Capturing packets to disk “RFC 1213—Network...

  • Page 27: Vpn Router Administration

    Chapter 1 VPN Router administration This chapter introduces administrator settings, tools, system configuration, and file management. It also includes information about SNMP traps. Administrator settings The VPN Router supports multiple administrators. You can assign different rights to allow or prevent administrative users from managing or viewing the VPN Router and user configuration information.

  • Page 28: Lost User Name And Password-Resetting The Vpn Router To Factory Defaults

    Reset to factory default. After you reset to factory default, the administrator user name is admin and the password is setup. Caution: Resetting to factory default removes all existing configuration information. NN46110-602...

  • Page 29: Dynamic Password

    Dynamic password Two types of administrative users exist on the VPN Router: • one super-user (Administrator) • as many administrative users as needed There is dynamic password support for administrative users only. The Administrator still requires a static password. RADIUS manages the dynamic password. The external RADIUS service acts as an intermediary between the VPN Router and the dynamic password authentication system.

  • Page 30: System Configuration

    FTP transfer with a specific file, you can view the file details to learn its file size and when it was last modified for troubleshooting purposes. Additionally, you can toggle between hard drives when a backup drive is available. NN46110-602...

  • Page 31: Simple Network Management Protocol (Snmp)

    Simple Network Management Protocol (SNMP) Use the Admin > SNMP window to do the following: • designate the remote SNMP management stations that are authorized to send SNMP Gets to the VPN Router • enable specific MIBs Note: A Nortel proprietary MIB is included on the Nortel CD. Click the CesTraps.mib file to load the MIB.

  • Page 32: Configured Threshold

    To configure an SNMP trap to send a notification about an exhausted IP address pool: To capture the traps, you must first define and enable a target host. To do that, select Admin > Snmp Traps. The Admin > SNMP Traps window appears. NN46110-602...

  • Page 33: Figure 1 Admin > Snmp Traps Window

    Figure 1 Admin > SNMP Traps window Enter a host name or IP address in the Host Name or IP Address text box. Enter a name in the Community Name text box. Click Enable. Click OK. Under the Trap Groups section on the SNMP Traps window, click Configure beside Service.
  • Page 34 34 Chapter 1 VPN Router administration To configure the amount: CES(config)#ip local pool exhausted-amount <amount> NN46110-602...

  • Page 35: Chapter 2 Status And Logging

    Chapter 2 Status and logging The Status windows show which users are logged on, their traffic demands, and a summary of the VPN Router’s hardware configuration, including available memory and disk space. The status windows include: • Sessions • Reports •...

  • Page 36: Sessions

    At midnight (12:00 a.m.), the data collection task performs summary calculations and rewrites history files, along with other management and cleanup functions. To perform this task, leave the VPN Router running overnight. The VPN Router must be running at midnight to generate a historical graph for the day. NN46110-602...

  • Page 37: System

    If you have multiple VPN Routers throughout the world, use the Greenwich Mean Time (GMT) standard to synchronize the various log files so that the timestamps are directly comparable. System The Status > System window shows the VPN Router’s up time, software and hardware configurations, and the current status of key devices.

  • Page 38: Accounting

    Note: The results of accounting record searches can be incorrect if another administrator initiates a new search before the first search is completed. Therefore, ensure that not more than one administrator is searching accounting records at one time. NN46110-602...

  • Page 39: Radius Accounting

    The data collection system stores records in text-based files stored in the system/ dclog subdirectory. The system stores the most recent 60 days of data. The system stores daily files, summary files, and summary history files. Ongoing administration tasks include monitoring the configuration files, backing up and restoring the VPN Router or the LDAP database, and upgrading images and clients.

  • Page 40: Table 1 Field Ids For Data Collection Records

    0-930057960,1-3,2-3,3-0,4-0,5-0,6-0,7-0,8-0,9-0,10-56,11-76,12-1,13-11021,14- 40,15-38,16-0 Table 1 lists the field IDs that are currently implemented. Table 1 Field IDs for data collection records Field identification NN46110-602 Collected field value Description TIMESTAMP Seconds since Jan 1, 1970 - 00:00:00 Hours TOTALSESSIONS Summary of all sessions...

  • Page 41: Logs

    Table 1 Field IDs for data collection records (continued) Field identification Logs The VPN Router has several logs that provide different levels of information. The logs are stored in text files and indicate what happened, when the event occurred, and the IP address and user ID of the person causing the event. Event log The event log is a detailed recording of all events that take place on the system.

  • Page 42: Figure 2 Event Logs

    In the Auto Save Events to section, select the maximum number of files that you want to save and click Enabled to automatically save the event log. The Capture and Display filters are hidden by default. Click Show to view or configure the capture and display filter capabilities. NN46110-602 (Figure 2) (Figure 3)

  • Page 43: Figure 3 Capture And Display Filters

    Figure 3 Capture and display filters You configure the capture filter and display filter using Entity-Subentity or Severity. To configure the capture filter or display filter: Click Configure Capture Entity or Configure Display Entity. shows the Configure Display Entity window. Figure 4 Nortel VPN Router Troubleshooting...

  • Page 44: Figure 4 Configure Display Entity

    Select the type of match you want. Select AND to match all key words. Select OR to match any key words. Click Clear to clear the entire log. Only Administrators can clear the log. Click Refresh to display new log entries. 10 Click Reverse Chronological Order to log in reverse chronological order. NN46110-602...

  • Page 45: System Log

    System log The system log contains all system events that are considered significant enough to be written to disk, including those displayed in the configuration and security logs. Events that appear in the system log include: • LDAP activity • configuration activity •...

  • Page 46: Configuration Log

    The Configuration log records all configuration changes. For example, it tracks adding, modifying, or deleting the following configuration parameters: • group or user profiles • LAN or wide area network (WAN) interfaces • filters • system access hours • shutdown or startup policies • file maintenance or backup policies NN46110-602...

  • Page 47: Administrative Tasks

    Chapter 3 Administrative tasks This chapter describes administrative tasks that help you operate the VPN Router. These tasks provide details on scheduling backups, upgrading the software image, saving configuration files, performing file maintenance, creating recovery diskettes, and system shutdown. Shutdown You use the Shutdown options to shut down immediately, to wait until current users are logged off, or to wait until a designated time.

  • Page 48: Recovery

    These utilities are accessed throught Hypertext Transfer Protocol (HTTP) after it is booted from the recovery diskette. Using the recovery diskette To use the recovery diskette: Remove the VPN Router’s front cover. Insert the recovery diskette into the drive and press Reset on the back of the VPN Router. NN46110-602...

  • Page 49: Figure 5 Recovery Diskette Window

    This supplies a minimal configuration utility so that you can view the VPN Router from a Web browser. In the Web browser, enter the management IP address of the VPN Router. The Recovery Diskette window appears, which you can use to: —...
  • Page 50 If you did not configure automatic backup server locations, use the blank row in the server backup field to manually enter a backup server. Note: FTP servers are often different, so check for information in your server documentation about setting paths that can help you with the upgrade procedure. NN46110-602...
  • Page 51 You can use a new factory default software image and file system to restore the VPN Router’s hard disk. Specify the name or address and path of the network file server onto which the software from the Nortel CD is installed. Note: This restores the disk to an operable but clean condition (for example, configuration values are at factory defaults).

  • Page 52: Automatic Backups

    This delay occurs even if you request that a backup start immediately. Use the Admin > Auto backup window to configure regular intervals or specific times when your system files are saved to designated host backup file servers. You can designate up to three backup file servers. NN46110-602...

  • Page 53: Using The Gui For Automatic Backup

    You must create a directory on the File Transfer Protocol (FTP) or Secure File Transfer Protocol (SFTP) server before running automatic backup. If you specify a path in the Admin > Auto backup window and the directory does not exist on the FTP or SFTP server, the automatic backup fails and The host path does not exist message is logged in the Event log.

  • Page 54: Figure 6 Automatic Backup Window

    Note: To transfer backup files using SFTP, you must first configure a remote SSH server. To back up at a specific time, click Specific Time and enter the time that you want the backup to occur in the Specific Time text box. NN46110-602 (Figure 6)
  • Page 55 To back up at certain intervals of time, click Interval and in the Interval text box specify in hours the time period after which the system automatically backs up changed files. The minimum interval is 1 hour, and the maximum is 8064 (336 days).

  • Page 56: Figure 7 Specific Automatic Backup Window

    18 To delete files after they are backed up, click Delete files on VPN Router after backup. 19 Click Apply to save the changes. 20 Select Admin > Auto Backup. 21 In the Backup Types section of Automatic Backup File Servers, click Specific Backup for the server of your choice. NN46110-602...

  • Page 57: Using The Cli For Automatic Backup

    22 Click Backup to run the backup to each enabled server now. This action also synchronizes the hard disk drives when there is more than one hard drive in a device. Otherwise, the hard disks synchronize automatically every 60 minutes. A new window appears with the backup information at the top of the window.

  • Page 58: Backing Up Specific Files And Directories

    {1 | 2 | 3} {<ip-address> | <host-name>} [<file-path>] auto username <user-name> password <password> For example, to back up the files that changed on backup server number 1, enter: CES(config)# exception backup 1 10.2.5.68 auto username admin password setup NN46110-602...

  • Page 59: Stopping The Backup Of Changes To Specific Files Or Directories

    Chapter 3 Administrative tasks 59 Stopping the backup of changes to specific files or directories To stop backing up the changes for specific files or directories for a particular server, enter: no exception backup advanced {1 | 2 | 3} specific For example, to stop backing up files that changed in backup server number 1, enter: CES(config)# no exception backup advanced 1 specific...

  • Page 60: Disabling New Logins

    To upgrade the VPN Router, download the latest Nortel software using the File Transfer Protocol (FTP). Because FTP servers are often different, check your server documentation for information about setting paths that can help you with the upgrade procedure. You can download the latest software from: NN46110-602 (Figure 8)

  • Page 61: Checking Available Disk Space

    • Nortel Web site • your own FTP site if you previously downloaded the software from the Nortel FTP site • Nortel software CD If an FTP server does not use standard FTP port numbers, you cannot use it to download FTP servers for Nortel software.

  • Page 62: Creating A Control Tunnel To Upgrade From A Remote Location

    Turn on the PC or the terminal. On the PC, start HyperTerminal press Enter. The Welcome window appears. Enter the VPN Router administrator user name and then the password. The serial main menu appears. NN46110-602 or another terminal emulation program and...

  • Page 63: Creating A Recovery Diskette

    Type 5 ( Create A User Control Tunnel (IPsec) Profile Enter the user ID that you plan to use to log in remotely to the VPN Router. Enter the password that you plan to use. Enter the password again. When you are prompted for an IP address, you can enter a static IP address that is assigned to the user during the control tunnel connection.

  • Page 64: Retrieving The New Software

    .gz file from the FTP root in the directory. In the example below, the V04_80.069.tar.gz file is located at the root of the FTP directory. • Version: type the exact name of the code that you are upgrading to (for example, V04_80.114). NN46110-602 01:20p <DIR> 01:20p <DIR> 06:53a...

  • Page 65: Figure 9 Ftp Menu Example

    Figure 9 192.32.250.64. The file V04_80.114.tar.gz must be located at the root of the FTP directory. Figure 9 FTP menu example When you FTP to the FTP server from another PC, you see the location of the file. D:\ftp>ftp 192.32.250.64 Connected to 192.32.250.64.

  • Page 66: Before Completing The Upgrade

    Note: These sessions are logged off during the Apply process Disable RADIUS accounting. Select Servers > RADIUS ACCT and disable all of the following options: — Internal RADIUS Accounting — Interim RADIUS Accounting Record NN46110-602 “Disabling new logins” on page 60 for the procedure.

  • Page 67: Applying The Software

    — Response Timeout for RADIUS Accounting Server — External RADIUS Accounting Server b Click OK. Applying the software After you start the apply process, do not make any queries on the VPN Router. Queries try to access files and can cause problems during the upgrade process. To apply the new software: Select Admin >...
  • Page 68 68 Chapter 3 Administrative tasks Select a system shutdown type of None and click OK. You have successfully upgraded your switch. NN46110-602...

  • Page 69: Chapter 4 Troubleshooting

    Chapter 4 Troubleshooting This chapter introduces the concepts and practices of advanced network configuration and troubleshooting for the Nortel VPN Router. Its purpose is two-fold: to provide configuration details to consult when setting up or modifying the extranet, and to serve as a resource when diagnosing client and network problems.

  • Page 70: Troubleshooting Tools

    IPsec VPN Client Monitor provides network statistics on device, connection, and network errors that help monitor traffic flow and assess IPsec connection performance. Statistic counters are updated once a second. For more information on the IPsec VPN Client Monitor, see the VPN Client online Help. NN46110-602...

  • Page 71: System-Based Tools

    Microsoft Point-to-Point Tunneling Protocol (PPTP) Dial-Up Networking Monitor provides network statistics on device, connection, and network protocols that help monitor traffic flow and assess PPTP connection performance. For more information on the PPTP Dial-Up Networking Monitor, see the PPTP help or your Microsoft PPTP client documentation.

  • Page 72: Solving Connectivity Problems

    Nortel recommends that they follow these steps to first determine whether the problem is with their modem, Point-to-Point Protocol (PPP) dial-up, or with the extranet connection: NN46110-602...

  • Page 73: Common Client Connectivity Problems

    Confirm that the modem is attached and working properly by running a terminal emulation program at their remote workstation, such as, Hyperterminal*, and issuing the AT command. If the response is AT OK, the modem is operating correctly. Verify that there is a PPP dial-up connection over the internet. To do this, before trying to establish an extranet access or PPTP connection, have them try Web browsing www.nortel.com or another Web site.
  • Page 74 Action: Contact your network administrator if you are unsure of your specific hours of access. Authentication failed Cause: The IPsec user name is incorrect or the password is invalid for the user name entered. NN46110-602...
  • Page 75 Chapter 4 Troubleshooting 75 Action: Verify that the user name you entered is correct and retype the password before trying the connection again. No proposal chosen Cause: The VPN Router you are connecting to is not configured to handle the authentication method configured under the current connection profile.

  • Page 76: Problems With Name Resolution Using Dns Services

    DNS misconfiguration is usually the problem if a client can ping a host using an IP address but not with its host name, or receives messages that the host name cannot be resolved, . Cause: You cannot configure a DNS server for PPTP or IPsec connections on the VPN Router. NN46110-602...

  • Page 77: Network Browsing Problems

    Chapter 4 Troubleshooting 77 Action: Validate that the VPN Client is configured with a DNS entry. For Windows NT 4.0, open a command prompt and enter . Verify that ipconfig/all a DNS server entry is listed. For Windows 95, from the Start menu on the task bar, select Run and enter .
  • Page 78 Remote Domain under the Options menu of the VPN Client dialog box. You are then prompted to log in to the domain of the remote network after the extranet connection is made. This is the recommended method for users with docking station configurations. NN46110-602...

  • Page 79: Diagnosing Wan Link Problems

    Alternatively, on NT 4.0, Windows 98, and Windows 95, complete the following steps to change your workstation to be a member of a workgroup instead of a domain: From the Start menu, select Settings > Control Panel. In the Control Panel, double-click Network.
  • Page 80 If the previous steps fail to resolve the problem, and you still suspect a problem with the physical connection, try rebooting the VPN Router to reinitialize the WAN interface. NN46110-602...
  • Page 81 Check the HDLC framing Assuming that the T1/V.35 interface is operating correctly, use the following steps to determine whether the HDLC layer is up and running properly, and to provide information for Nortel Customer Support for further diagnosis: Check that there are no input or output errors reported on the Manager WAN statistics window.

  • Page 82: Hardware Encryption Accelerator Connectivity

    (non-compressible) data, the data can expand in size and overrun the modem's buffers. Performance tips for configuring Microsoft networking For Microsoft networking to work as designed over the extranet, each of the following components, if configured, must work together: NN46110-602...
  • Page 83 • DHCP Server assigns IP addresses to clients • WINS Server provides a translation of the NetBIOS domain name to the IP address • DNS Server provides a translation of the IP Host name to the IP address • Master Browser is an elected host that maintains lists of all NetBIOS resources •...
  • Page 84 The WINS settings are available on the WINS server through the Start menu > Programs > Administrator Tools. The following values for a WINS server are: • Server Configuration • Renewal Interval: 41 minutes • Extinction Interval: 41 minutes • Extinction Timeout: 24 hours • Verify Interval: 576 hours NN46110-602...
  • Page 85 The renewal interval governs how often a client must reregister its name with the WINS server. It begins trying at one-half of the renewal interval. The extinction interval governs the length of time between when a client name is released and when it becomes extinct.
  • Page 86 This gives an administrator the ability to configure a specific computer as the master browser. NN46110-602 command. Note the entry show database...
  • Page 87 Chapter 4 Troubleshooting 87 To specify a computer as the preferred master browser, set the parameter for IsDomainMasterBrowser to True or Yes in the following registry path: \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browser\ Parameters Unless the computer is configured as the preferred master browser, the parameter entry is always False or No.
  • Page 88 Router as invalid tunneled packets because the source address does not match the VPN Router-assigned address. If you inspect the event log, there are messages of the form Bad source address in tunnel and the session/details counter for source address drops increases. NN46110-602...
  • Page 89 After about 10 to 15 seconds, NetBIOS gives up on the primary interface, moves to the correct tunnel interface, and starts to browse the Network Neighborhood. Why can't I browse another client in a different tunnel? Cause: If you are not using a WINS server, this is not possible because network browsing requires broadcasts from one tunnel to another.
  • Page 90 Windows 95 requires the Winsock DNS Update (wsockupd) to properly function with multiple DNS servers. NN46110-602...

  • Page 91: Additional Information

    My downloaded DNS servers for my tunnel connection do not work Cause: The Microsoft Windows 95/98 and Windows NT operating systems attempt to ping new DNS servers before adding them to the current list of servers. Action: As a quick test, try to ping (with the tunnel connection active) the DNS servers that the extranet device is downloading at tunnel startup.

  • Page 92: Solving General Problems

    Netscape Communicator*,Version 4.0 or later. Not using a recent version of Internet Explorer causes the upper-left corners of the management windows to remain gray rather than displaying the navigational menu and the current menu selection, respectively. NN46110-602...

  • Page 93: Enabling Web Browser Options

    • For ActiveX Scripts, Java, and JavaScript*, you must enable both ActiveX and Java programs in Internet Explorer, and enable both Java and JavaScript in Netscape Communicator for proper VPN Router Web management windows. These options are enabled by default on both Web browsers. Enabling Web browser options To make sure these options are enabled in Internet Explorer, from the Internet Explorer menu bar, select View >...

  • Page 94: Web Browser Error Messages

    VPN Router is very low on memory. Action: Terminate any unnecessary tasks to free up memory. It may be necessary to reboot the VPN Router. If this condition recurs, there can be a serious problem. Contact Nortel Customer Support. NN46110-602...
  • Page 95 Chapter 4 Troubleshooting 95 Document not found message Cause: This message is returned when the HTTP server cannot find the requested window. This can happen because the Java navigation index file is out of synch with the rest of the system. A corrupted or incorrectly cached index file can also cause this problem.

  • Page 96: Reporting A Problem With A Web Browser

    Action: Restart the system. Power failure Cause: The power supplies can become unseated during shipping. When this problem occurs, the VPN Router may not start, or a warning can be posted to the Status > Health Check window indicating a potential problem. NN46110-602...

  • Page 97: Dhcp Server

    Action: If necessary, remove the front bezel as described in the installation guide, then push the bottom of the power supply in to reseat it. Cannot convert from an internal address pool to an external DHCP server Cause: You cannot convert IP address distribution from an internal address pool to an external DHCP server while sessions are active.

  • Page 98: Solving Routing Problems

    Check that OSPF and Routing Information Protocol (RIP) are properly set Check that you have the correct address ranges if you configured summarization. Check that you have an Advanced Routing license if you are using OSPF for client address redistribution. NN46110-602...

  • Page 99: Solving Firewall Problems

    Solving firewall problems An error occurred while parsing the policy Description: The policy that you are attempting to view or edit cannot be opened because it does not conform to the required format. This is caused by an error in the LDAP database or a problem with the connection to the VPN Router.
  • Page 100 Internal LDAP server was shut down and restarted. • External LDAP server in use is switched to the internal LDAP server. • Internal LDAP server in use is switched to an external LDAP server. • External LDAP server’s port or IP address changes. NN46110-602...
  • Page 101 Action: To ensure that the most current data is loaded: Close the current policy, if opened. Saving is not permitted until this error is remedied. From the policy selection window, select All from the Refresh menu. System files were not loaded properly Description: This error occurred because the files necessary to load the Stateful Firewall Manager were either not downloaded from the VPN Router properly or were not initialized properly.
  • Page 102 102 Chapter 4 Troubleshooting NN46110-602...

  • Page 103: Packet Capture

    Chapter 5 Packet capture Packet capture (PCAP) is a troubleshooting tool that network administrators and customer support personnel use, in conjunction with other tools such as statistics, logging, network analyzers, and testers, to remotely troubleshoot VPN Router and network problems. Packet capture is especially useful for troubleshooting the VPN Router 1010/1050/1100, which is typically located in a small office where no technical expertise is available.

  • Page 104: Pcap Features

    Packet capture enables the VPN Router to perform the following tasks: • simultaneously capture network traffic at different sources (physical interfaces, tunnels, and the VPN Router as a whole) • capture inbound or outbound traffic, or both NN46110-602 “Automatic backups” on page...

  • Page 105: Security Features

    • limit the traffic that the filters capture • automatically start and stop packet capture with triggers Note: The VPN Router does not provide tools for opening and viewing captured data. You must offload the PCAP files to view them. Security features Packet capture on the VPN Router provides the following features to enhance security:...

  • Page 106: Capture Types

    For example, you can create a tunnel capture object to diagnose the following types of problems: • a protocol not working for a particular user • performance issues for a particular user • Open Shortest Path First (OSPF) not working properly inside a specific branch office tunnel NN46110-602...

  • Page 107: Global Ip Captures

    Tunnel captures saved to disk are encapsulated with raw IP encapsulation. When you convert these files to file formats that do not support raw IP encapsulation (including Sniffer), L2 encapsulation is required. You can configure a capture object for an existing tunnel or for tunnels that are not initiated.

  • Page 108: Filters And Triggers

    By default, the system saves frames to the capture buffer as soon as a capture object starts. You can configure predefined or user-defined interface filters as triggers for capture objects. A trigger causes a capture object to start or stop automatically when they receive certain packets. NN46110-602...

  • Page 109: Saving Captured Data

    • A start trigger causes the system to wait for a specific packet before it starts saving packets to the capture buffer. • A stop trigger causes the system to stop saving traffic in the capture buffer after a specific packet matching the stop trigger is encountered. The packet capture object, however, is not fully stopped.

  • Page 110: Performance Considerations

    Configure a capture object for promiscuous mode only when necessary. (Promiscuous mode affects VPN Router performance.) • Configure filters and triggers to capture only relevant traffic, in particular if you need to run the global IP object. NN46110-602 bytes blocks ave block 2252386...

  • Page 111: Enabling Packet Capture On A Vpn Router

    Router serial port to the terminal or to the communications port on the PC. On the PC, start HyperTerminal click Enter. The Welcome window appears. Welcome to the VPN Router Copyright (c) 2007 Nortel Networks Ltd. Version: Creation date: Date: Unit Serial Number: 317563...
  • Page 112 Use this password to open capture files with the Enter at least eight characters for the capture password and include at least one number. #capture enable Please specify password for encrypting capture files. Password: ******** Reenter password: ******** NN46110-602 admin utility. openpcap...

  • Page 113: Capturing Packets To Disk File

    10 If you want, you can now change the VPN Router administrator password. configure terminal CES# Enter configuration commands, one per line. End with Ctrl/z. adminname <admin_name> password <new_password> CES(config)# exit CES(config)# CES# After you enable packet capture, it remains enabled until you explicitly disable it with the no capture enable can now configure and start packet capture objects.

  • Page 114: Setting The Size Of The Ram Buffer

    Setting the maximum number of disk capture files To set the maximum number of disk capture files, from CLI Capture Configuration Mode enter: maxfiles where max_files is the maximum number of files to save to disk for this capture. NN46110-602 #filepath /ideX/system/log <size> #buffersize 1048576 <max_size>...

  • Page 115: Saving Captured Data

    For example, enter: CES(capture-ethernet) Saving captured data To set the PCAP capture mode to loss or no loss, from CLI Capture Configuration Mode enter: capture-all No capture-all For example, enter: CES(capture-ethernet) Configuring and running packet capture objects This section provides instructions for creating, configuring, starting, and stopping capture objects, as well as instructions for saving captured traffic to a file on disk.
  • Page 116 • specify whether the capture stops when the buffer is full or whether new data overwrites the existing data NN46110-602 ATM interface capture Bri interface capture Dial interface capture Fast Ethernet interface capture...
  • Page 117 To configure a capture object: Navigate to Capture Configuration mode by entering the with the object name. capture ether0 CES# CES(capture-ethernet)# The resulting prompt shows the type of capture object (physical interface, tunnel, or global IP). Display all parameters that you can configure for that type of capture object. CES(capture-ethernet)# Packet capture mode direction...
  • Page 118 CES(capture-tunnel)# For the syntax of any command, see the Nortel VPN Router Using the Command Line Interface (NN46110-507). NN46110-602 “Tunnel captures” on page Captures in one direction Exits capture mode Applies interface traffic filter to capture only matching traffic...

  • Page 119: Starting, Stopping, And Saving Capture Objects

    Global IP parameters The configurable parameters for the global IP capture object are the same as the parameters available for physical interface objects. The following example creates a global capture object called rawip, navigates to Capture Configuration mode, and displays the commands for the global capture object. For more information about global IP capture objects, see capture add rawip global CES#...
  • Page 120 Capture buffer utilization: Capturing direction: Capture buffer wrapping: Capture buffer wrapped: Capture filter applied: Capture filter discards: Start trigger applied: Start trigger discards: Stop trigger applied: CES# NN46110-602 show capture Type Size TUNNEL 1048576 ETHERNET 1048576 GLOBAL 1048576 command is run with no object...

  • Page 121: Sample Packet Capture Configurations

    Sample packet capture configurations This section provides sample configurations and the commands used to create them. Interface capture object using a filter and direction In the following example, you configure a capture object called test-filter-in on Fast Ethernet interface 0/1. This object captures inbound FTP traffic only. Note: The filter used in this example is a predefined VPN Router filter.

  • Page 122: Interface Capture Object Using Triggers

    Note: The filters used in this example are predefined VPN Router filters. If you need a filter that the VPN Router software does not provide, you must create the filter before you configure the capture object. NN46110-602 command. (In this example, 20 frames are captured in the RUNNING 1048576...
  • Page 123 To create and use this capture object, you run commands like the ones illustrated in this example. These commands do the following: Create a capture object called test-trigger on Fast Ethernet interface 0/1. Enter Capture Configuration mode for the object. Set the start trigger to permit FTP.

  • Page 124: Tunnel Capture Object Using A Remote Ip Address

    To create and use this capture object, you run commands like the ones illustrated in this example. These commands do the following: Create a capture object called test-remote-ip. Enter Capture Configuration mode for the capture object. Set the remote IP address to 192.168.100.1. NN46110-602 command show capture STOPPED by stop 1048576...

  • Page 125: Viewing A Packet Capture Output File On A Pc

    Exit Capture Configuration mode. Start the capture. capture add test-remote-ip tunnel CES# capture test-remote-ip CES# CES(capture-tunnel)# CES(capture-tunnel)# capture test-remote-ip start CES# CES# To stop the capture and save the buffer contents to a file called test6.cap, enter the following commands: capture test-remote-ip stop CES# capture test-remote-ip save test6.cap...

  • Page 126: Saving, Downloading, And Viewing Pcap Files

    Open a DOS window and from the c:\pcap directory, open the PCAP file ethernet.cap by using the openpcap executable. For example, enter this command (syntax is openpcap ethernet.cap ether1.cap You are prompted for a password. NN46110-602 openpcap <input_file> <output_file>) openpcap...

  • Page 127: Viewing A Pcap File With Sniffer Pro

    Enter the password that you entered when you enabled packet capture (see “Enabling packet capture on a VPN Router” on page Note: If you plan to use Sniffer Pro to view the capture file, go to the next section, From the open Ethereal window, disable Enable network name resolution. If this parameter is enabled, a large PCAP file takes a long time to open because every address captured tries to perform name address resolution.

  • Page 128: Deleting Capture Objects And Disabling Packet Capture

    (see page Any capture data that you saved in a file using the remains stored on the disk until you explicitly delete the file. NN46110-602 file or the .enc “Enabling packet capture on a VPN Router” on 111).
  • Page 129 To delete a packet capture object: Display all configured capture objects on the VPN Router to locate the object or objects that you want to delete. show capture CES# Name Type test-fast ETHERNET test-filter-in ETHERNET test-raw-ip GLOBAL test-remote-ip TUNNEL test-trigger ETHERNET trigger test-user...
  • Page 130 130 Chapter 5 Packet capture NN46110-602...

  • Page 131: Mib Support

    Appendix A MIB support The VPN Router supports the management information base (MIB) for use with network management protocols in TCP/IP-based Internets and TCP/IPX-based networks. The VPN Router supports SNMP Gets only. It does not support SNMP Sets. Nortel also provides proprietary MIBs for the VPN Router’s SNMP trap support. The MIBs, cestraps.mib and newoak.mib, are available on the VPN Router distribution CD in the Doc directory.

  • Page 132: Rfc 1724-Rip Version 2 Mib Extension

    RFC, it “describes a Management Information Base (MIB) used for managing tunnels of any type over IPv4 networks, including GRE [16,17], IP-in-IP [18], Minimal Encapsulation [19], L2TP [20], PPTP [21], L2F [25], UDP (e.g., [26]), ATMP [22], and IPv6-in-IPv4 [27] tunnels.” NN46110-602...

  • Page 133: Rfc 2787-Vrrp Mib

    RFC 2787—VRRP MIB The VPN Router supports RFC 2787, Definitions of Managed Objects for the Virtual Router Redundancy Protocol. As stated in the introduction, RFC 2787 “defines an extension to the Management Information Base (MIB) for use with SNMP-based network management. In particular, it defines objects for configuring, monitoring, and controlling routers that employ the Virtual Router Redundancy Protocol (VRRP).”...

  • Page 134: Rfc 1573-Ianaiftype Mib

    The VPN Router does not support the following groups or objects: • hrSystem Group — hrSystemInitialLoadDevice — hrSystemInitialLoadParameters — hrSystemNumUsers — hrSystemProcesses — hrSystemMaxProcesses • hrStorage Group hrStorageAllocationFailures • hrDevice Group — hrDevice Table hrDeviceErrors NN46110-602...

  • Page 135: Rfc2495-Ds1 Mib

    — hrNetworkTable — hrPrinterTable — hrDiskStorageTable hrDiskStorageCapacity — hrPartitionTable hrPartitionSize — hrFSTable hrFSLastFullBackupDate hrFSLastPartialBackupDate • hrSWRun Group hrSWRun • hrSWRunPerf Group hrSWRunPerf • hrSWRunTable — hrSWRunIndex — hrSWRunName — hrSWRunType — hrSWRunStatus — hrSWRunPriority • hrSWRunPerfTable — hrSWRunPerfCPU RFC2495—DS1 MIB These objects are used with a DS1/E1/DS2/E2 interface.

  • Page 136: Rfc2863 Interface Mib (64 Bit Counters Support)

    3. The third index is the size of the ping request. If it is not specified or is an invalid value then it defaults to 1024. VPN Router MIB provides trap acknowledgement. NN46110-602...

  • Page 137: Cestraps.mib-Nortel Proprietary Mib

    -- defined in [9], and the TRAP-TYPE macro as defined in [10]. contivity ContivitySnmpTraps OBJECT-TYPE SYNTAX ACCESS STATUS DESCRIPTION "Nortel Networks Inc's Enterprise trap." ::= {contivity 1} -- Trap #5006 --------------------------------- antiSpoofingStatus OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of Anti Spoofing Feature.
  • Page 138 -- The third should never happen, but means the status has been set to a bogus value. " ::= {serviceCESTrapInfo 6} antiSpoofingStatusTrap TRAP-TYPE ENTERPRISE serviceCESTrapInfo VARIABLES { severityLevel, antiSpoofingStatus, systemName,systemDate, systemTime, systemUpTime DESCRIPTION "Status of Anti Spoofing Feature" ::= 5006 NN46110-602...

  • Page 139: Newoak.mib

    OBJECT IDENTIFIER ::= {newoak 9} defined in [9], and the TRAP-TYPE macro as defined in OBJECT IDENTIFIER ::= { enterprises 2505 } MODULE-IDENTITY LAST-UPDATED "0004252130Z" ORGANIZATION "Nortel Networks,Inc." CONTACT-INFO "support@nortelnetworks.com Postal: Nortel Networks,Inc. 80 Central St. Boxboro, MA 01719...

  • Page 140: Hardware-Related Traps

    DESCRIPTION "Status of any LAN cards on the system." ::= {hardwareTrapInfo 4} -- Trap #1005 CPUtwoStatus OBJECT-TYPE SYNTAX ACCESS STATUS DESCRIPTION "Status of second CPU." ::= {hardwareTrapInfo 5} -- Trap #1006 fanOneStatus OBJECT-TYPE SYNTAX NN46110-602 DisplayString read-only DisplayString read-only mandatory DisplayString read-only mandatory DisplayString read-only mandatory...
  • Page 141 ACCESS read-only STATUS mandatory DESCRIPTION "Status of the first CPU fan." ::= {hardwareTrapInfo 6} -- Trap #1007 fanTwoStatus OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of the second CPU fan." ::= {hardwareTrapInfo 7} -- Trap #1008 chassisFanStatus OBJECT-TYPE SYNTAX DisplayString ACCESS...
  • Page 142 DESCRIPTION "Status of normal temperature reading." ::= {hardwareTrapInfo 16} -- Trap #10017 criticalTemperature OBJECT-TYPE SYNTAX ACCESS STATUS DESCRIPTION "Status of critical temperature reading." ::= {hardwareTrapInfo 17} -- Trap #10018 chassisIntrusion OBJECT-TYPE SYNTAX NN46110-602 read-only mandatory DisplayString read-only mandatory DisplayString read-only mandatory DisplayString read-only mandatory...
  • Page 143 ACCESS read-only STATUS mandatory DESCRIPTION "The chassis intrusion sensor indicates that the unit has been opened." ::= {hardwareTrapInfo 18} -- Trap #10019 dualPowerSupply OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of the redundant power supplies." ::= {hardwareTrapInfo 19} -- Trap #10020 t1WANStatus OBJECT-TYPE SYNTAX...

  • Page 144: Server-Related Traps

    DESCRIPTION "Status of Internal LDAP Server." ::= {serverTrapInfo 4} -- Trap #3005 LoadBalancingServer OBJECT-TYPE SYNTAX ACCESS STATUS DESCRIPTION "Status of Load Balancing Server." ::= {serverTrapInfo 5} -- Trap #3006 DNSServer OBJECT-TYPE SYNTAX NN46110-602 DisplayString read-only mandatory DisplayString read-only mandatory DisplayString read-only mandatory DisplayString read-only...
  • Page 145 ACCESS read-only STATUS mandatory DESCRIPTION "Status of DNS Server." ::= {serverTrapInfo 6} -- Trap #3007 SNMPServer OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of SNMP Server." ::= {serverTrapInfo 7} -- Trap #3008 IPAddressPool OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of the IP address pool."...

  • Page 146: Software-Related Traps

    DESCRIPTION "Status of internal firewall." ::= {softwareTrapInfo 2} Login-related traps loginTrapInfo OBJECT IDENTIFIER ::= {ContivitySnmpTraps 4} -- Trap #101 failedLogin OBJECT-TYPE SYNTAX ACCESS STATUS DESCRIPTION "Failed Login Attempt." ::= {loginTrapInfo 1} NN46110-602 DisplayString read-only mandatory DisplayString read-only mandatory DisplayString read-only mandatory...

  • Page 147: Intrusion-Related Traps

    Intrusion-related traps intrusionTrapInfo OBJECT IDENTIFIER ::= {ContivitySnmpTraps 5} -- Trap #201 securityIntrusion OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Login Security Intrusion." ::= {intrusionTrapInfo 1} System-related traps -- Trap #401 powerUpTrap OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Power Up." ::= {ContivitySnmpTraps 6} -- Trap #601 periodicHeartbeat OBJECT-TYPE...

  • Page 148: Information Passed With Every Trap

    SYNTAX ACCESS STATUS DESCRIPTION "System Time." ::= {ContivitySnmpTraps 10} systemUpTime OBJECT-TYPE SYNTAX ACCESS STATUS DESCRIPTION "System Up Time." ::= {ContivitySnmpTraps 11} NN46110-602 ACCESS read-only STATUS mandatory DESCRIPTION "Severity of specific trap." ::= {ContivitySnmpTraps 7} DisplayString read-only mandatory DisplayString read-only mandatory...

  • Page 149: Table 3 Trap Categories

    Table 3 provides trap categories and explanations. Table 3 Trap categories Hardware 1.3.6.1.4.1.2505.1.1.0.1001 1.3.6.1.4.1.2505.1.1.0.1002 1.3.6.1.4.1.2505.1.1.0.1003 1.3.6.1.4.1.2505.1.1.0.1004 1.3.6.1.4.1.2505.1.1.0.1005 1.3.6.1.4.1.2505.1.1.0.1006 1.3.6.1.4.1.2505.1.1.0.1007 1.3.6.1.4.1.2505.1.1.0.1008 1.3.6.1.4.1.2505.1.1.0.1009 1.3.6.1.4.1.2505.1.1.0.10010 1.3.6.1.4.1.2505.1.1.0.10011 1.3.6.1.4.1.2505.1.1.0.10012 1.3.6.1.4.1.2505.1.1.0.10013 1.3.6.1.4.1.2505.1.1.0.10014 1.3.6.1.4.1.2505.1.1.0.10015 1.3.6.1.4.1.2505.1.1.0.10016 1.3.6.1.4.1.2505.1.1.0.10017 1.3.6.1.4.1.2505.1.1.0.10018 1.3.6.1.4.1.2505.1.1.0.10019 1.3.6.1.4.1.2505.1.1.0.10020 1.3.6.1.4.1.2505.1.1.0.10021 1.3.6.1.4.1.2505.1.1.0.10022 Server 1.3.6.1.4.1.2505.1.2.0.3001 1.3.6.1.4.1.2505.1.2.0.3002 1.3.6.1.4.1.2505.1.2.0.3003 1.3.6.1.4.1.2505.1.2.0.3004 1.3.6.1.4.1.2505.1.2.0.3005 1.3.6.1.4.1.2505.1.2.0.3006 hardDisk1StatusTrap hardDisk0StatusTrap...

  • Page 150: Table 4 Vpn Router Traps Mib Descriptions

    Standard / Proprietary Proprietary 1.3.6.1.4.1.2505.1.1.0.1001 Proprietary 1.3.6.1.4.1.2505.1.1.0.1002 Proprietary 1.3.6.1.4.1.2505.1.1.0.1003 Proprietary 1.3.6.1.4.1.2505.1.1.0.1004 Proprietary 1.3.6.1.4.1.2505.1.1.0.1005 Proprietary 1.3.6.1.4.1.2505.1.1.0.1006 Proprietary 1.3.6.1.4.1.2505.1.1.0.1007 Proprietary 1.3.6.1.4.1.2505.1.1.0.1008 NN46110-602 snmpServerTrap ipAddressPoolTrap extLDAPServerTrap radiusAuthServerTrap certificateServerTrap netBuffersTrap FireWallTrap FipsStatusTrap FailedLoginTrap SecurityIntrusionTrap PowerUpTrapEntry PeriodicHeartbeatTrap Name Description hardDisk1StatusTrap Hard Disk Number 1 Status. hardDisk0StatusTrap Hard Disk Number 0 Status.
  • Page 151 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.1009 Proprietary 1.3.6.1.4.1.2505.1.1.0.10010 fiveVoltsMinusTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10011 threeVoltsPositiveTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10012 twoDotFiveVATrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10013 twoDotFiveVBTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10014 twelveVoltsPositveTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10015 twelveVoltsMinsTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10016 normalTemperatureTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10017 criticalTemperatureTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10018 chassisIntrusionTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10019 dualPowerSupplyTrap fiveVoltsPosStatusTrap Status of the +5 Volt power.
  • Page 152 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.10020 t1WANStatusTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10021 t3WANStatusTrap NN46110-602 Status of T1 WAN card(s); Possible values for Wanic: Alert: Invalid Device X. Warning: Device WanicX disabled. Alert: Device WanicX down. Warning: Device WanicX not initialized.
  • Page 153 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.10022 hwAccelTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10023 heartBeat Status of hardware accelerator card. Possible Values: Invalid hardware accelerator unit Unknown hardware accelerator unit %d. Healthy: Bulk Accelerator in slot %d: Unit %d Status 1— ATTACHED. Warning: Bulk Accelerator in slot %d: Unit %d Status 2—...
  • Page 154 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.10024 v90WANStatusTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10025 briWANStatusTrap NN46110-602 Status of V.90 Interface card. Possible Values: Please note that X corresponds to the unit number of the card. Alert: V.90 Invalid index X. Disabled: Device IntModem-X disabled.
  • Page 155 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.10026 serUartStatusTrap Proprietary 1.3.6.1.4.1.2505.1.1.0.10027 adslWANStatusTrap Proprietary 1.3.6.1.4.1.2505.1.2.0.3001 Proprietary 1.3.6.1.4.1.2505.1.2.0.3002 Proprietary 1.3.6.1.4.1.2505.1.2.0.3003 Proprietary 1.3.6.1.4.1.2505.1.2.0.3004 Status of Serial (COM) port/ interface. Possible Values: Please note that X corresponds to the unit number of the serial interface.
  • Page 156 Proprietary 1.3.6.1.4.1.2505.1.2.0.3009 Proprietary 1.3.6.1.4.1.2505.1.2.0.30010 radiusAuthServerTrap Proprietary 1.3.6.1.4.1.2505.1.2.0.30011 certificateServerTrap Proprietary 1.3.6.1.4.1.2505.1.2.0.30012 extLDAPAuthServerTrap Proprietary 1.3.6.1.4.1.2505.1.2.0.30013 cmpServerTrap NN46110-602 loadBalancingServerTrap Status of Load Balancing Server. dnsServerTrap Status of DNS Server. snmpServerTrap Status of SNMP Server. ipAddressPoolTrap Status of the IP address pool. extLDAPServerTrap Status of External LDAP Server.
  • Page 157 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.2.0.30014 dhcpServerTrap Proprietary 1.3.6.1.4.1.2505.1.3.0.5001 Proprietary 1.3.6.1.4.1.2505.1.3.0.5002 Proprietary 1.3.6.1.4.1.2505.1.3.0.5003 Proprietary 1.3.6.1.4.1.2505.1.3.0.5004 Proprietary 1.3.6.1.4.1.2505.1.3.0.5005 Proprietary 1.3.6.1.4.1.2505.1.3.0.5006 Status of DHCP Server. Possible Values: Disabled: DHCP Server is Disabled. Alert: DHCP Server is NOT configured. Alert: DHCP Server is configured and operational, Using backup config.
  • Page 158 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.3.0.5007 Proprietary 1.3.6.1.4.1.2505.1.4.0.101 Proprietary 1.3.6.1.4.1.2505.1.5.0.201 Standard 1.3.6.1.2.1.11.0.0 NN46110-602 sslVpnStatusTrap Status of SSL-VPN Accelerator. Possible Values: Disabled: Disabled—The unit is administratively disabled. Disabled: HW not installed— There is no SSL-VPN Accelerator installed. Warning: Initialization in progress—The unit is being...
  • Page 159 Appendix A MIB support 159 Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.2 linkDown A linkDown trap signifies that the sending protocol entity recognizes a failure in one of the communication links represented in the agent's configuration. Varbind list: ifIndex—ifIndex of the interface.
  • Page 160 Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.3 NN46110-602 linkUp A linkUp trap signifies that the sending protocol entity recognizes that one of the communication links represented in the agent's configuration is up. Varbind list: ifIndex—ifIndex of the interface.
  • Page 161 Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.5 Proprietary 1.3.6.1.4.1.2505.1.14.3.0.1 authenticationFailure n authenticationFailure trap signifies that the SNMPv2 entity, acting in an agent role, received a protocol message that is not properly authenticated. The snmpEnableAuthenTraps object indicates whether this trap is generated.
  • Page 162 Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.2 NN46110-602 linkDown A linkDown trap signifies that the sending protocol entity recognizes a failure in one of the communication links represented in the agent's configuration. Varbind list: ifIndex—ifIndex of the interface.
  • Page 163 Appendix A MIB support 163 Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.3 linkUp A linkUp trap signifies that the sending protocol entity recognizes that one of the communication links represented in the agent's configuration is up. Varbind list: ifIndex—ifIndex of the interface ifAdminStatus—ifAdminStatus of the interface.
  • Page 164 Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.5 Proprietary 1.3.6.1.4.1.2505.1.14.3.0.1 NN46110-602 authenticationFailure An authenticationFailure trap signifies that the SNMPv2 entity, acting in an agent role, received a protocol message that is not properly authenticated. The snmpEnableAuthenTraps object indicates whether this trap is generated.

  • Page 165: Appendix B Using Serial Ppp

    Appendix B Using serial PPP You use Serial Point-to-Point Protocol (PPP) to manage the VPN Router from a remote location using PPP and the serial interface. If the VPN Router becomes unreachable over the Internet, you can still dial up and manage it through the serial interface menu.

  • Page 166: Setting Up A Dial-Up Networking Connection

    10 Do not configure Scripting and Multilink. 11 Click Configure the client modem, and use the following settings: • 8 data bits • 1 stop bit • No parity • Hardware flow control Do not choose Log On to Network if the selection appears. NN46110-602...

  • Page 167: Setting Up The Modem

    Setting up the modem The following procedure assumes that you are using a 3Com/US Robotics 56K x2 modem. It describes how to set up a modem to communicate with the VPN Router using a dial-up networking connection. Table 5 DIP switch configuration Parameter Data Terminal Ready Verbal Result Codes...
  • Page 168 A sample 3Com/US Robotics 56K modem initialization string that instructs the external modem to connect at 19,200 Kb/s is ATZAT&B1AT&N10. Click Reset to reset the port to the selected baud rate and apply any other modem changes. NN46110-602...

  • Page 169: Dialing In To The Vpn Router

    Dialing in to the VPN Router Use the standard dial-up networking procedure to connect to the VPN Router. After connecting, you can then manage the VPN Router using either Telnet (for the command line interface) or the browser-based GUI. Use the VPN Router’s management IP address for the Telnet session or the browser’s destination URL.
  • Page 170 Menu itself. For these changes to take effect, restart the VPN Router. For the best results, connect the modem while the VPN Router is turned off. Cause: You are using a dial-up serial PPP connection and you encounter repeated CRC errors. NN46110-602...

  • Page 171: Ppp Option Settings

    Action: Make sure that the modem that is connected to the VPN Router has hardware flow control enabled. PPP option settings The following settings describe the VPN Router’s behavior when negotiating serial PPP. For IP: • IP Address negotiation is enabled. •...
  • Page 172 172 Appendix B Using serial PPP NN46110-602...

  • Page 173: Appendix C System Messages

    Appendix C System messages System forwarding (syslog) uses the system logging daemon (syslogd) to forward information from the VPN Router system log to different host machines. This appendix provides a listing of possible syslog messages that the VPN Router can write to a remote system. A description and the recommended corrective action, if any, follows each message.
  • Page 174 SSL-related certificates were tampered with, or that a certificate is corrupted. Action: Delete, then reinstall any SSL-related certificates. You do not need to delete and reinstall the tunnel-related certificates since they are stored in the LDAP database stores them and not in the local file system. NN46110-602...

  • Page 175: Isakmp Messages

    Manually verify the tunnel-related certificate fingerprints. Perform this procedure any time you suspect tampering. ISAKMP messages ISAKMP [13] No proposal chosen in message from xxx (a.b.c.d) In many cases, a Session:IPsec message precedes the ISAKMP message. If the Session:IPsec message indicates an error, then the Session message describes the cause and required action.
  • Page 176 Description: No encryption types are enabled for the account in question. Action: Enable the desired encryption types. Description: The requested authentication method (for example, RSA Digital Signature) is not enabled. Action: Enable all required authentication types. Make sure the unneeded types are disabled. NN46110-602...
  • Page 177 Appendix C System messages 177 ISAKMP [13] Error notification (Authentication failure) received from xxx (a.b.c.d) Description: A VPN Client attempted to connect, but the user supplied the wrong password. Action: Make sure that the user and the VPN Router have the same password. Description: A remote branch office rejected your VPN Router’s attempt to authenticate.

  • Page 178: Branch Office Messages

    Action: Configure both sides to have matching local and remote network definitions. Branch office messages Couldn't install route for remxxx@xxx Description: The VPN Router cannot install the route for the remote network (indicated by remxxx@xxx). This happens when the route collides with an existing static route. NN46110-602...

  • Page 179: Ssl Messages

    Appendix C System messages 179 Action: Remove the existing static route or change the route for the remote network to be a subset or superset of the static route. SSL messages Checking chain: invalid parent cert, xxx Description: The given certificate in the chain is not valid. This indicates that the certificate installed at the external LDAP server is expired or is invalid in some other way.

  • Page 180: Database Messages

    LDIF file. LDIF file: xxx could not back up Description: The internal LDAP server database cannot be backed up to the specified LDIF file. This happens if the name of the LDIF file is not in 8.3 format. NN46110-602...

  • Page 181: Security Messages

    Appendix C System messages 181 Action: Make sure the backup file has an 8.3 file name. LDIF file: could not restore xxx Description: The internal LDAP server database cannot be restored from the specified LDIF file. This indicates that the LDIF file does not exist. Action: Choose an LDIF file that currently resides on the VPN Router disk.
  • Page 182 Action: Start the LDAP server or change the external LDAP server configuration to make it accessible. Security: store new system name xxx failed—xxx Description: The system name cannot be stored in the VPN Router configuration LDAP entry. This can indicate that the LDAP server is not accessible. NN46110-602...
  • Page 183 Appendix C System messages 183 Action: Start the LDAP server, or change the external LDAP server configuration to make it accessible. Security: store new system subnet mask xxx failed—xxx Description: The system subnet mask cannot be stored in the VPN Router configuration LDAP entry.
  • Page 184 Description: The external LDAP server does not support a schema entry so it is not possible to update its schema over the network. This error occurs if the external LDAP server does not support the cn=schema entry. Action: Update the external LDAP server schema manually, then reconnect to it. NN46110-602...
  • Page 185 Appendix C System messages 185 xxx xxx being referenced by xxx Description: The LDAP entry is referenced by another LDAP entry (for example, a filter set referenced by a User Group or Branch Office Connection). Action: Remove all references to the LDAP entry in question, then delete the entry.
  • Page 186 The call admission priority slot is full. • The call admission priority slot is outside of access hours. • The max links configured for the group is reached. Action: Verify the correct settings for each of the possible causes. NN46110-602...
  • Page 187 Appendix C System messages 187 Session: xxx[xxx]:xxx IP address assignment failed Description: An address cannot be assigned to the session. This occurs if the static address for the session is in use or if the address pool is exhausted. Action: Expand the number of addresses in the pool, or change the static address on the account.
  • Page 188 Description: The VPN Router does not have any more slots for the session's call admission priority. This indicates that the configured Call Admission Priority for the group that the request is assigned to is too low. Action: Increase the Call Admission Priority on the Profiles > Groups > Edit > Connectivity window. NN46110-602...
  • Page 189 Session: xxx[xxx]:xxx invalid password—master admin authentication failed Description: The primary administrator password is invalid. This results from using the wrong password or from making a mistake while typing the password. Action: Make sure you are using the correct password, and make sure you typed it correctly.
  • Page 190 Description: The VPN Router reached its maximum number of sessions. This occurs when the VPN Router reaches the maximum number of configurable tunnels. Action: Use load balancing with another VPN Router (if you are using IPsec clients), or upgrade the VPN Router to the next higher model. NN46110-602...

  • Page 191: Radius Accounting Messages

    RADIUS accounting messages RADIUS: Cannot send accounting request to <server-name>, possibly due to DNS translation failure Description: This message indicates a connection failure. While sending a request, an error occurred due to a socket creation problem. This usually indicates a DNS resolution problem. Action: Verify the following: •...
  • Page 192 Action: Retry authentication attempt and verify that RADIUS server packets are properly formed. Non-matching ID in server response Description: This message indicates that an invalid response was received. The Transaction ID in the response packet is not the expected value. NN46110-602...
  • Page 193 Appendix C System messages 193 Action: Retry authentication attempt and verify that RADIUS server packets are properly formed. Unsupported response type (<number>) received from server Description: This message indicates that an invalid response was received. The response packet type is not one of the expected types: Access-Accept, Access-Reject, or Access-Challenge.

  • Page 194: Radius Authentication Messages

    Description: This message indicates a connection failure. The connection timed out while waiting for a response. Action: Verify the following: • RADIUS server’s IP address and port number are correct • RADIUS server is available • Shared secret is correct NN46110-602...
  • Page 195 RADIUS: <server-name> server timed out authenticating <user-name> Description: This message indicates a connection failure. The connection timed out while waiting for a response. Action: Verify the following: • RADIUS server’s IP address and port number are correct • RADIUS server is available •...
  • Page 196 Action: Retry authentication attempt and verify that RADIUS server packets are properly formed. Invalid reply digest from server, possible shared secret mismatch Description: This message indicates that an invalid response was received. The computed authenticator does not match the value in the packet. NN46110-602...
  • Page 197 Appendix C System messages 197 Action: Verify that the shared secrets match. RADIUS: <server-name> sent packet with invalid response authenticator for <user-name> Description: This message indicates that an invalid response was received. The computed authenticator does not match the value in the packet. Action: Verify that the shared secrets match.

  • Page 198: Routing Messages

    Action: Disable and enable OSPF globally in Routing > OSPF window. If this does not work, disable OSPF, boot the VPN Router and enable OSPF in Routing > OSPF window. OSPF Disabled Description: The administrator disabled OSPF from the Routing > OSPF window. NN46110-602...
  • Page 199 Appendix C System messages 199 Action: No action required. Closing OSPF-RTM connection Description: OSPF closed the RTM connection, which occurs if the administrator disables OSPF from Routing > OSPF window. Action: No action required. Ospf_Global.State changed from ENABLED to DISABLED by user 'admin' @ x.x.x.x Description: The administrator disabled OSPF from the Routing >...
  • Page 200 Description: Logged when VRRP is starting as a master for an address. The parameters are: • The VRID of this VR • The reason for starting, either because it was enabled or the interface went up • The IP address Action: No action required. NN46110-602...
  • Page 201 VR xxx: Starting xxx as Backup for xxx Description: Logged when starting as a backup for an address. The parameters are: • The VRID of this VR • The reason for starting, either because it was enabled or the interface went up •...
  • Page 202 Description: Logged when there is not enough memory to allocate RIP parameters. Action: No action required. RIP xxx: Circuit xxx created Description: Logged when the RIP circuit is created. The parameter stands for circuit ID. Action: No action required. NN46110-602...
  • Page 203 Appendix C System messages 203 RIP xxx: Circuit xxx deleted Description: Logged when the RIP circuit is deleted. The parameter stands for circuit ID. Action: No action required. RIP xxx: Unable to register with UDP Description: Logged when you cannot register with UDP protocol. Action: No action required.

  • Page 204: Hardware Messages

    Interface [nnn] replaced, resetting config Description: This indicates the card type specified in the configuration file does not match the card type currently in the slot. The configuration information is reset to defaults then initialized with the current hardware. Action: No action required. NN46110-602...
  • Page 205 Appendix C System messages 205 Interface [nnn] replaced, deleting from config Description: This indicates the card type specified in the configuration file does not match the card currently in the slot. The interface is deleted from the configuration. This applies when the replaced card has more ports than the current card.
  • Page 206 206 Appendix C System messages NN46110-602...

  • Page 207: Configuring For Interoperability

    Appendix D Configuring for interoperability This chapter explains the requirements and procedures for setting up different vendor hardware or software to interoperate with the VPN Router. You can use these instructions to establish encrypted tunnels to and from the VPN Router with the noted vendors.

  • Page 208: Figure 11 Vpn Router And Cisco 2514 Network Topology

    208 Appendix D Configuring for interoperability Figure 11 VPN Router and Cisco 2514 network topology NN46110-602...
  • Page 209 The following is a show config command: Cisco2514# show config Using 1088 out of 32762 bytes version 11.3 no service password-encryption hostname Cisco2514 enable secret 5 $1$aSJB$Xz/o4I4IqCY.FT2RH372/1 enable password password crypto isakmp policy 1 hash md5 authentication pre-share lifetime 3000 crypto isakmp key test address 8.1.10.42 crypto ipsec transform-set esp1 esp-des esp-md5-hmac crypto map bay 11 ipsec-isakmp...

  • Page 210: Configuring The Vpn Router For Cisco Interoperability

    Profiles > Groups > IPsec: Configure window. Create and configure the IPsec branch office connection on the VPN Router, using the network profile you just created for the local accessible network. On the Profiles > Branch Office window, enable IPsec Authentication: Text Pre-Shared Key. NN46110-602...

  • Page 211: Configuring The Safenet/Soft-Pk Security Policy Database Editor, Version 1.0S

    Configuring the SafeNet/Soft-PK Security Policy Database Editor, Version 1.0s To set up the VPN Router to establish encrypted tunnel connections with the IRE Soft-PK Security Policy Client as illustrated in as described on following pages. Figure 12 VPN Router and IRE SafeNet network topology Figure 12, configure the windows Nortel VPN Router Troubleshooting...

  • Page 212: Connecting To Ire Safenet/Soft-Pk Security Policy Client

    For Connection Security, click Secure. Under Remote Party Identity and Addressing, select the following: • ID Type: IP Subnet • Subnet: 10.18.0.0. • Mask: 255.255.0.0 • Protocol: All Under Connect using Secure Gateway Tunnel, select the following: • ID Type: IP Address NN46110-602...
  • Page 213 • 8.1.10.42 The SafeNet/Soft PX Security Policy Editor dialog box appears. Click My Identity to configure the SafeNet client, and select the following: • Select Certificate: None • ID Type: IP Address • Port: All Click Pre-Shared Key. The Pre-Shared Key dialog box appears. In the Pre-Shared Key dialog box, click Enter Key, then enter the preshared key.
  • Page 214 The SafeNet/Soft-PK Security Policy Editor dialog box appears. 10 From Security Policy: Select Phase 1 Negotiation Mode, click Main Mode. 11 Click Enable Replay Detection. 12 On the Authentication (Phase 1), Proposal 1, Authentication window, enable the following: NN46110-602...

  • Page 215: Configuring The Vpn Router For Ire Interoperability

    • Authentication Method: Pre-Shared key • Encrypt Alg: DES • Hash Alg: MD5 • SA Life: Seconds and 3000 (Seconds) • Key Group: Diffie-Hellman Group 1 13 On the Key Exchange (Phase 2), Proposal 1 window, enable the following: • Encapsulation Protocol (ESP) •...

  • Page 216: Third-Party Client Installation

    LINUX* FreeS/WAN client. If you are using the FreeS/WAN LINUX client, you must configure your user and the VPN Router as a branch office tunnel. If you are using another client that supports IPsec Aggressive mode, you can configure your VPN Router as a user tunnel. NN46110-602...

  • Page 217: Considerations For Using Third-Party Clients

    Considerations for using third-party clients There are several considerations regarding the use of third-party clients with VPN Router: • Client Dynamic Addressing—Many third-party clients now support the Aggressive mode method of establishing a security association. The advantage of Aggressive mode for remote user access is that, unlike Main mode, the VPN server does not authenticate the security association based on prior knowledge of the IP address of the user.
  • Page 218 Advanced Security features—The Nortel VPN Client tunnel only accepts packets originating from the machine on which it is loaded. If attempts are made to route packets through a VPN Client, the tunnel is closed. When non-split tunneling is enabled, only packets that have passed through the VPN NN46110-602...

  • Page 219: Configuring The Vpn Router As A Branch Office Tunnel

    (are correctly decrypted, and authenticated) are accepted; other packets are dropped. If any attempt is made to change the station address of the client, the tunnel is automatically closed. Third-party clients do not necessarily have this security. • Tight integration with MS-DUN and IPASS—This allows one-click access that dials and authorizes the ISP connection and then creates the VPN connection automatically.

  • Page 220: Configuring The Vpn Router As A User Tunnel

    This means that the client can establish IPsec security associations for all networks. If you do not enable split tunneling, you must enable the Allow undefined networks option. Figure 13 shows a network with a split tunneling environment. NN46110-602...

  • Page 221: Figure 13 Split Tunneling Example

    Figure 13 Split tunneling example Public Data Network Printer 192.19.2.33 192.168.43.6 192.19.2.32 Remote User 192.19.2.31 To configure the VPN Router as a user tunnel: Select Profiles > Groups and click Add. Enter a group name of up to 64 characters (spaces are permitted); for example, Research and Development. Click Edit next to the name of the new group, scroll down to the IPsec section, and click Configure.

  • Page 222: Configuring Ipx

    The primary tasks of IPX are addressing, routing, and switching information packets from one location to another on a network. In a LAN-based client, the network interface card (NIC) provides network node addressing; in a tunneled environment, the VPN Router provides the network node addressing. NN46110-602...

  • Page 223: Ipx Client

    Appendix D Configuring for interoperability 223 Network addresses form the basis of the IPX internetwork addressing scheme for sending packets between network segments. Every network segment of an internetwork is assigned a unique network address by which routers forward packets to their final destination network. On the VPN Router, all public interfaces are treated as a single network segment with a unique network address.

  • Page 224: Windows 95 And Windows 98

    VPN Router provides is 0000A100. Figure 14, the private interface network address to the NetWare server is 00000B16 and the Frame Type is 802.3; similarly, the private interface network address to the Nortel Router is 00000C22 and the Frame Type is SNAP. NN46110-602...

  • Page 225: Figure 14 Ipx Topology

    Appendix D Configuring for interoperability 225 Figure 14 IPX topology Note: The private LAN can also carry IP and IPX traffic simultaneously. The IP addresses are not shown in this figure. Nortel VPN Router Troubleshooting...
  • Page 226 226 Appendix D Configuring for interoperability NN46110-602...

  • Page 227: Index

    Index accounting data 40 records 38, 39 accounting log 38 active sessions 96 ActiveX Scripts 93 administrator settings 28 administrator privileges 27 authentication failed 74 background images 96 backups 52 branch office error messages 178 browser error messages 94 browsing delays 93 certificate error messages 173 cestraps.mib 137 color setting 96...
  • Page 228 37 display 96 historical event logging 35 HTTP 93 Hyperterminal 73 internal address pool 97 Internet Explorer 95 Internetwork Packet Exchange 222 NN46110-602 ipconfig command 71 IPSec password 74 username 74 IPX 222 IPX client 223 ISAKMP error messages 175...
  • Page 229 NetBIOS 77, 83, 84, 88 Netscape Communicator 92 netstats command 71 NetWare client 224 Network Neighborhood 84 newoak.mib 139 Nortel Networks MIB 31 Novell intraNetWare client 224 Partial Backup 50 performance problems overview 70 solving 82 ping command 74, 77...
  • Page 230 69 PPTP connectivity 92 routing 98 toolbox 70 WAN link problems 79 upgrade 60 compressed image 64 upgrading software 94 NN46110-602 verify interval 84 WAN interfaces display 80 WAN statistics manage 81 Web browser problems 92, 96 winipcfg command 71...

Table of Contents