Table of Contents
Advertisement
VPN menu features
Troubleshooting IPSec
• The tunnel has Dead Peer Detection disabled.
• The remote party does not support Dead Peer Detection according to draft-ietf-IPSec-dpd-00.txt
Solution: Enable Dead Peer Detection support for the tunnel. Do not use Dead Peer Detection if the
remote party does not support draft-ietf-IPSec-dpd-00.txt.
Symptom: Tunnels using x.509 certificate authentication do not work.
Possible causes:
• The date and time settings on the appliance has not been configured correctly.
• The certificates have expired.
• The Distinguished Name of the remote party has not been configured correctly on the appliance's
tunnel.
• The certificates do not authenticate correctly against the CA certificate.
• The remote party's settings are incorrect.
Solution: Confirm that the certificates are valid. Confirm also that the remote party's tunnel settings
are correct. Check the Distinguished Name entry in the appliance's tunnel configuration is correct.
Symptom: Remote hosts can be accessed using IP address but not by name
Possible cause: Windows network browsing broadcasts are not being transmitted through the tunnel.
Solutions:
• Set up a DNS/WINS server and use it to have the remote hosts resolve names to IP addresses.
• Set up HOSTS/LMHOST files on remote hosts to resolve names to IP adresses.
Symptom: Tunnel comes up but the application does not work across the tunnel.
Possible causes:
• There may be a firewall device blocking IPSec packets.
• The MTU of the IPSec interface may be too large.
• The application uses broadcasts packets to operate.
Solution: Confirm that the problem is the VPN tunnel and not the application being run. These are the
steps you can try to find where the problem is (it is assumed that a network to network VPN is being
used):
Ping from your PC to the Internet IP address of the remote party. This assumes that the remote party is
1
configured to accept incoming pings.
If you cannot ping the Internet IP address of the remote party, either the remote party is not online or
your computer does not have its default gateway as the UTM Firewall appliance.
Ping from your PC to the LAN IP address of the remote party.
2
If you can ping the Internet IP address of the remote party but not the LAN IP address, then the
remote party's LAN IP address or its default gateway has not been configured properly. Also check
your network configuration for any devices filtering IPSec packets (protocol 50) and whether your
Internet Service Provider is filtering IPSec packets.
Ping from your PC to a PC on the LAN behind the remote party that the tunnel has been configured to
3
combine.
If you can ping the LAN IP address of the remote party but not a host on the remote network, then
either the local and/or remote subnets of the tunnel settings have been incorrectly configured or the
remote host does not have its default gateway as the remote party.
McAfee UTM Firewall 4.0.4 Administration Guide
311
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for McAfee SG310
Related Products for McAfee SG310
- McAfee SG720
- McAfee SAV85E - Active VirusScan - PC
- MCAFEE AGENT 4.0 PATCH 2 - FOR WINDOWS S 10-03-2009
- MCAFEE EPOLICY ORCHESTRATOR 4.0 PATCH 5 - S 12-05-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 1 - S 24-04-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 2 - S 31-08-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 3 - S 09-02-2009
- McAfee SMEFCE-AI-DA - Email Security Service Inbound