Table of Contents
Advertisement
VPN menu features
Troubleshooting IPSec
• The tunnel has not been configured.
• The Phase 1 proposals do not match.
• The secrets do not match.
• The RSA key signatures have been incorrectly configured.
• The Distinguished Name of the remote party has not be configured correctly.
• The Endpoint IDs do not match.
• The remote IP address or DNS hostname has been incorrectly entered.
• The certificates do not authenticate correctly against the CA certificate.
Solution: Ensure that the tunnel settings for the appliance and the remote party are configured
correctly. Also ensure that both have IPSec enabled and have Internet IP addresses. Check that the CA
has signed the certificates.
Symptom: Tunnel is always Negotiating Phase 2.
Possible causes:
• The Phase 2 proposals set for the appliance and the remote party do not match.
• The local and remote subnets do not match.
Solution: Ensure that the tunnel settings for the appliance and the remote party are configured
correctly. If phase 2 fails to come up when attempting a tunnel with a non-UTM Firewall appliance,
such as a Sidewinder G2 or a TSP Classic appliance, selecting a Phase 2 Proposal with no Perfect
Forward Secrecy is often the first step in ensuring compatibility between the endpoints.
Symptom: The tunnel appears to be up and I can ping across it, but HTTP, FTP, SSH, telnet, etc. do not
work.
Possible cause: The MTU of the IPSec interface is too large.
Solution: Reduce the MTU of the IPSec interface.
Symptom: Tunnel goes down after awhile.
Possible causes:
• The remote party has gone down.
• The remote party has disabled IPSec.
• The remote party has disabled the tunnel.
• The tunnel on the appliance has been configured not to rekey the tunnel.
• The remote party is not rekeying correctly with the appliance.
Solution: Confirm that the remote party has IPSec and the tunnel enabled and has an Internet IP
address. Ensure that the appliance has rekeying enabled. If the tunnel still goes down after a period of
time, it may be due to the UTM Firewall appliance and remote party not recognizing the need to
renegotiate the tunnel. This situation arises when the remote party is configured to accept incoming
tunnel connections (as opposed to initiate tunnel connections) and reboots. The tunnel has no ability
to let the other party know that a tunnel renegotiation is required. This is an inherent drawback to the
IPSec protocol. Different vendors have implemented their own proprietary method to support the
ability to detect whether to renegotiate the tunnel. Dead peer detection has been implemented based
on the draft produced by Cisco Systems (draft-ietf-IPSec-dpd-00.txt). Unfortunately, unless the
remote party implements this draft, the only method to renegotiate the tunnel is to reduce the key
lifetimes for Phase 1 and Phase 2 for Automatic Keying (IKE). This does not occur for Manual Keying.
Symptom: Dead Peer Detection does not seem to be working.
Possible causes:
310
McAfee UTM Firewall 4.0.4 Administration Guide
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for McAfee SG310
Related Products for McAfee SG310
- McAfee SG720
- McAfee SAV85E - Active VirusScan - PC
- MCAFEE AGENT 4.0 PATCH 2 - FOR WINDOWS S 10-03-2009
- MCAFEE EPOLICY ORCHESTRATOR 4.0 PATCH 5 - S 12-05-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 1 - S 24-04-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 2 - S 31-08-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 3 - S 09-02-2009
- McAfee SMEFCE-AI-DA - Email Security Service Inbound