Isolating Faults; Common Errors - Avaya 2330/4134 Troubleshooting Manual

clear crypto ike sa [all | name]
When clearing SAs, it makes sense to clear the IPsec SAs before the IKE SAs. This is because
when you clear the IPsec SAs, that action will send a message through the IKE SA to the peer
that an IPsec SA is being deleted. But if you had cleared the IKE SA first, that message about
deleting an IPsec SA will have no channel to travel through.

Isolating faults

• Are the phase-I parameters mismatched? Phase-I negotiations must have matched
parameters for: 1. authentication-method 2. Diffie-Hellman Group 3. encryption-algorithm
4. hash-algorithm 5. lifetime 6. pfs (on or off)
• Are the phase-II parameters mismatched? Phase-II negotiations must have matched
parameters for: 1. encryption-algorithm 2. hash-algorithm 3. mode (tunnel or transport)
4. pfs group
• Is the firewall at fault? The firewalling requirements for VPN are: 1. that the "internet" zone
accept IKE packets in 2. that the "internet" zone accept udp port 4500 in 3. that the "corp"
zone accept general traffic in from the far-end protected network.
Use the `debug firewall all` command to seek out error messages about dropping packets. Use
the `debug firewall packet` command to seek out which packets are entering / leaving the
firewall and VPN systems.

Common errors

• Lack of a firewall policy on the "internet" side to allow IKE in.
• Mismatching some parameters of phase-I or phase-II. Read through those log events.
• If you are using a traffic generator to test your setup, be sure to send well formed UDP
packets.
• Misconfiguring the `match address` line. The format of the `match address` line gives the
source subnet and the destination subnet. If you "reverse the polarity" you will never start
IKE if you are the initiator, or fail in phase-II if you are the responder.
• Attempting to load certificate with a difference in time. If you wish to use a PKI signature
based authentication in IKE, you must first configure a `ca trustpoint` with private key(s)
and certificates. That is quite a tricky process unto itself, and the most common problem
is when you get a new certificate issued from a CA but can not successfully import it into
your box. The most likely cause is a mismatch in the date/time on your Secure Router
clock and the CA clock which causes the Secure Router to believe that the certificate is
not yet valid.
• Getting lost debugging a stale SA. As you work to bring up your first VPN session, you
may go through several configuration attempts and trials. Some of these may partially
succeed, leaving phase-I SAs in place or partially formed phase-II SAs in place. Each
Troubleshooting
Troubleshooting VPN
August 2013 207