Nortel VPN Router Troubleshooting
Version 7.00
Part No. NN46110-602
315900-E Rev 01
February 2007
Document status: Standard
600 Technology Park Drive
Billerica, MA 01821-4130
2
Copyright © 2007 Nortel Networks. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and Nortel VPN Router are trademarks
of Nortel Networks.
Adobe, Acrobat, and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Macintosh is a trademark of Apple Computer, Inc.
Cisco and Cisco Systems are trademarks of Cisco Technology, Inc.
SafeNet is a trademark of SafeNet, Inc.
Linux is a trademark of Linus Torvalds.
Microsoft, MS-DOS, Windows, and Windows NT are trademarks of Microsoft Corporation.
Netscape and Netscape Communicator are trademarks of Netscape Communications Corporation.
Network General Sniffer is a trademark of Network Associates, Inc.
NetWare, IPX, NetWare, and Novell are trademarks of Novell, Inc.
RSA and SecurID are trademarks of RSA Security Inc.
Java and JavaScript are trademarks of Sun Microsystems, Inc.
Ethernet is a trademark of Xerox Corporation.
The asterisk after a name denotes a trademarked item.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
NN46110-602
3
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above
copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials,
and other materials related to such distribution and use acknowledge that such portions of the software were developed
by the University of California, Berkeley. The name of the University may not be used to endorse or promote products
derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
Nortel Networks Inc. software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no
rights other than those granted to you under this License Agreement. You are responsible for the selection of the
Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software
on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable.
To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”),
Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software
contains trade secrets and Customer agrees to treat Software as confidential information using the same care and
discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate.
Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement.
Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse
assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or
modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property
to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the
event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or
certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s
Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to
include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect
to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in
such event, the above exclusions may not apply.
Nortel VPN Router Troubleshooting
4
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF,
OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier
of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not
allow these limitations or exclusions and, in such event, they may not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails
to comply with the terms and conditions of this license. In either event, upon termination, Customer must
either return the Software to Nortel Networks or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e. The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If
the Software is acquired in the United States, then this License Agreement is governed by the laws of the state
of New York.
NN46110-602
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Finding the latest updates on the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . 22
Getting help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Getting help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . . . 23
Getting help from a specialist by using an Express Routing Code . . . . . . . . . . . . 23
Getting help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . . 24
New in this release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
SNMP traps when an IP address pool reaches the configured threshold . . . . . . . 25
Automatic backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
PCAP enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
SNMP interface index enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5
Chapter 1
VPN Router administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Administrator settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Lost user name and password—resetting the VPN Router to factory defaults . . . 28
Dynamic password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
System configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
File management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Nortel VPN Router Troubleshooting
6 Contents
Chapter 2
Status and logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Health check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring SNMP traps to send notification when an IP address pool reaches the
configured threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Accounting records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
RADIUS accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Data collection task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Security log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Configuration log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Chapter 3
Administrative tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Accessing the diskette drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Using the recovery diskette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Automatic backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Using the GUI for automatic backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Using the CLI for automatic backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
NN46110-602
Transferring backup files through SFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Triggering a backup when a file or directory changes . . . . . . . . . . . . . . . . . . . 53
Backing up specific files and directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Stopping the backup of specific files and directories . . . . . . . . . . . . . . . . . . . 58
Backing up changes to specific files or directories . . . . . . . . . . . . . . . . . . . . . 58
Stopping the backup of changes to specific files or directories . . . . . . . . . . . . 59
Contents 7
Using SFTP to transfer backup files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Stopping the transfer of backup files using SFTP . . . . . . . . . . . . . . . . . . . . . . 59
Disabling new logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Upgrading the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Checking available disk space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Creating a control tunnel to upgrade from a remote location . . . . . . . . . . . . . . . . . 62
Creating a recovery diskette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Backing up system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Retrieving the new software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Before completing the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Applying the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
After you upgrade the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 4
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Troubleshooting tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Client-based tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
System-based tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Other tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Solving connectivity problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Diagnosing client connectivity problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Common client connectivity problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Problems with name resolution using DNS services . . . . . . . . . . . . . . . . . . . . . . . 76
Network browsing problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Diagnosing WAN link problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Hardware encryption accelerator connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Solving performance problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Eliminating modem errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Performance tips for configuring Microsoft networking . . . . . . . . . . . . . . . . . . . . . . . . 82
Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Solving general problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Web browser problems and the VPN Client Manager . . . . . . . . . . . . . . . . . . . . . . 92
Enabling Web browser options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Web browser error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Reporting a problem with a Web browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Nortel VPN Router Troubleshooting
8 Contents
Solving routing problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Solving firewall problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Chapter 5
Packet capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
System problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Client address redistribution problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
PCAP features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
File format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Capture types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Physical interface captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Tunnel captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Global IP captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Filters and triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Capture filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Saving captured data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Memory considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Performance considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Enabling packet capture on a VPN Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Capturing packets to disk file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Setting the PCAP file path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Setting the size of the RAM buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Setting the size of a disk capture file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Setting the maximum number of disk capture files . . . . . . . . . . . . . . . . . . . . 114
Saving captured data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Configuring and running packet capture objects . . . . . . . . . . . . . . . . . . . . . . . . . 115
Creating a capture object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Starting, stopping, and saving capture objects . . . . . . . . . . . . . . . . . . . . . . . 119
Using the show capture command to display capture status . . . . . . . . . . . . 119
Sample packet capture configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Interface capture object using a filter and direction . . . . . . . . . . . . . . . . . . . . 121
Interface capture object using triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Tunnel capture object using a remote IP address . . . . . . . . . . . . . . . . . . . . . 124
NN46110-602
Contents 9
Viewing a packet capture output file on a PC . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Installing Ethereal software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Saving, downloading, and viewing PCAP files . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Viewing a PCAP file with Sniffer Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Deleting capture objects and disabling packet capture . . . . . . . . . . . . . . . . . . . . 128
Appendix A
MIB support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
SNMP RFC support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Novell IPX MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Novell RIP-SAP MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
RFC 1850—OSPF Version 2 Management Information Base . . . . . . . . . . . . . . . 131
RFC 1724—RIP Version 2 MIB Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
RFC 1213—Network Management of TCP/IP-Based Internets MIB . . . . . . . . . . 132
RFC 2667—IP Tunnel MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
RFC 2787—VRRP MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
RFC 2737—Entity MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
RFC 1573—IanaIfType MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
RFC 2233—If MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
RFC 2571—Snmp-Framework MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
RFC2790—Host Resources MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
RFC2495—DS1 MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
RFC2863 Interface MIB (64 bit counters support) . . . . . . . . . . . . . . . . . . . . . . . . 136
VPN Router MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
cestraps.mib—Nortel proprietary MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
newoak.mib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Hardware-related traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Server-related traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Software-related traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Login-related traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Intrusion-related traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
System-related traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Information passed with every trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Nortel VPN Router Troubleshooting
10 Contents
Appendix B
Using serial PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Establishing a serial PPP connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Troubleshooting Serial PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
PPP option settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Appendix C
System messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Certificate messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
ISAKMP messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Branch office messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
SSL messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Database messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Security messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
RADIUS accounting messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
RADIUS authentication messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Routing messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Hardware messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Setting up a Dial-Up Networking connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Setting up the modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Setting up the VPN Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Dialing in to the VPN Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Appendix D
Configuring for interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configuring the Cisco 2514 router, Version 11.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configuring the VPN Router for Cisco interoperability . . . . . . . . . . . . . . . . . . . . . . . . 210
Configuring the SafeNet/Soft-PK Security Policy Database Editor, Version 1.0s . . . . 211
Connecting to IRE SafeNET/Soft-PK Security Policy Client . . . . . . . . . . . . . . . . 212
Configuring the VPN Router for IRE interoperability . . . . . . . . . . . . . . . . . . . . . . . . . 215
Third-party client installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Considerations for using third-party clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Configuring the VPN Router as a branch office tunnel . . . . . . . . . . . . . . . . . . . . 219
Configuring the VPN Router as a user tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Configuring IPX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
NN46110-602
Contents 11
IPX client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Windows 95 and Windows 98 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Windows NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
IPX group configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Sample IPX VPN Router topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Nortel VPN Router Troubleshooting
12 Contents
NN46110-602
Figures
Figure 1 Admin > SNMP Traps window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 2 Event logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Figure 3 Capture and display filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 4 Configure Display Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 5 Recovery Diskette window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 6 Automatic backup window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 7 Specific Automatic Backup window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 8 Disable new logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 9 FTP menu example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 10 FTP menu with subdirectory example . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 11 VPN Router and Cisco 2514 network topology . . . . . . . . . . . . . . . . . . . 208
Figure 12 VPN Router and IRE SafeNet network topology . . . . . . . . . . . . . . . . . . 211
Figure 13 Split tunneling example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Figure 14 IPX topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
13
Nortel VPN Router Troubleshooting
14 Figures
NN46110-602
Tables
Table 1 Field IDs for data collection records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 2 Troubleshooting tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Table 3 Trap categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Table 4 VPN Router traps MIB descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Table 5 DIP switch configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
15
Nortel VPN Router Troubleshooting
16 Tables
NN46110-602
Preface
This guide provides information about how to manage and troubleshoot the Nortel
VPN Router.
Before you begin
This guide is for network managers who monitor and maintain the Nortel VPN
Router. This guide assumes that you have experience with system administration
and familiarity with network management.
Text conventions
This guide uses the following text conventions:
angle brackets (< >) Indicate that you choose the text to enter based on the
17
description inside the brackets. Do not type the
brackets when entering the command.
Example: If the command syntax is
ping <ip_address>, you enter
ping 192.32.10.12
bold Courier text
Indicates command names and options and text that
you need to enter.
Example: Use the
Example: Enter
show health command.
terminal paging {off | on}.
Nortel VPN Router Troubleshooting
18 Preface
braces ({}) Indicate required elements in syntax descriptions where
there is more than one option. You must choose only
one of the options. Do not type the braces when
entering the command.
Example: If the command syntax is
source {external | internal}
ldap-server source external or
either
ldap-server source internal
ldap-server
, you must enter
, but not both.
brackets ([ ]) Indicate optional elements in syntax descriptions. Do
not type the brackets when entering the command.
Example: If the command syntax is
show ntp [associations], you can enter
show ntp or show ntp associations.
either
Example: If the command syntax is default rsvp
[token-bucket
default rsvp, default rsvp token-bucket
depth, or default rsvp token-bucket rate.
{depth | rate}], you can enter
ellipsis points (. . . ) Indicate that you repeat the last element of the
command as needed.
Example: If the command syntax is
more diskn:<directory>/...<file_name>,
you enter
more and the fully qualified name of the file.
NN46110-602
italic text Indicates new terms, book titles, and variables in
command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.
Example: If the command syntax is
ping <ip_address>, ip_address is one variable
and you substitute one value for it.
plain Courier
text
Indicates system output, for example, prompts and
system messages.
Example:
File not found.
separator ( > ) Shows menu paths.
Example: Choose Status > Health Check.
Preface 19
Acronyms
vertical line (
| ) Separates choices for command keywords and
arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.
Example: If the command syntax is
terminal paging {off | on}, you enter either
terminal paging off or terminal paging on,
but not both.
This guide uses the following acronyms:
ADSL
ARP
AT M
CA
CHAP
asynchronous digital subscriber line
Address Resolution Protocol
asynchronous transfer mode
certificate authority
Challenge Handshake Authentication Protocol
CMP Internet Control Message Protocol
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System
FTP File Transfer Protocol
HTTP Hypertext Transfer Protocol
ICMP Certificate Management Protocol
IKE IPsec Key Exchange
IP Internet Protocol
IPsec IP Security
IPX Internetwork Packet Exchange
ISDN BRI integrated services digital network basic-rate
interface
ISP Internet service provider
L2F Layer 2 Forwarding
Nortel VPN Router Troubleshooting
20 Preface
L2TP Layer 2 Tunneling Protocol
LAN local area network
LDAP Lightweight Directory Access Protocol
NAT Network Address Translation
OSI Open Systems Interconnection
OSPF Open Shortest Path First
PAP Password Authentication Protocol
PCAP packet capture
PDN public data network
POP point of presence
PPP Point-to-Point Protocol
PPTP Point-to-Point Tunneling Protocol
RADIUS Remote Authentication Dial-In User Service
RIP Routing Information Protocol
SNMP Simple Network Management Protocol
NN46110-602
UDP User Datagram Protocol
URL uniform resource locator
VPN virtual private network
VRRP Virtual Router Redundancy Protocol
WAN wide area network
XNS Xerox Networking System
Related publications
For more information about the Nortel VPN Router, see the following
publications:
• Release notes provide the latest information, including brief descriptions of
the new features, problems fixed in this release, and known problems and
workarounds.
• Nortel VPN Router Configuration — Basic Features (NN46110-500)
introduces the product and provides information about initial setup and
configuration.
• Nortel VPN Router Configuration — SSL VPN Services (NN46110-501)
provides instructions for configuring services on the SSL VPN Module 1000,
including authentication, networks, user groups, and portal links.
• Nortel VPN Router Security — Servers, Authentication, and Certificates
(NN46110-600) provides instructions for configuring authentication services
and digital certificates.
• Nortel VPN Router Security — Firewalls, Filters, NAT, and QoS
(NN46110-601) provides instructions for configuring the Stateful Firewall
and VPN Router interface and tunnel filters.
• Nortel VPN Router Configuration — Advanced Features (NN46110-502)
provides instructions for configuring advanced LAN and WAN settings, PPP,
frame relay, PPPoE, ADSL and ATM, T1CSU/DSU, dial services and BIS,
DLSw, IPX, and SSL VPN.
• Nortel VPN Router Configuration — Tunneling Protocols (NN46110-503)
configuration information for the tunneling protocols IPsec, L2TP, PPTP, and
L2F.
• Nortel VPN Router Configuration—Routing (NN46110-504) provides
instructions for configuring RIP, OSPF, and VRRP, as well as instructions for
configuring ECMP, routing policy services, and client address redistribution
(CAR).
• Nortel VPN Router Using the Command Line Interface (NN46110-507)
provides syntax, descriptions, and examples for the commands that you can
use from the command line interface.
• Nortel VPN Router Configuration — TunnelGuard (NN46110-307) provides
information about configuring and using the TunnelGuard feature.
Preface 21
Nortel VPN Router Troubleshooting
22 Preface
Hard-copy technical manuals
You can print selected technical manuals and release notes free, directly from the
Internet. Go to www.nortelnetworks.com/documentation, find the product for
which you need documentation, then locate the specific category and model or
version for your hardware or software product. Use Adobe Reader to open the
manuals and release notes, search for the sections you need, and print them on
most standard printers. Go to the Adobe Web site at the www.adobe.com to
download a free copy of the Adobe Reader.
How to get help
This section explains how to get help for Nortel products and services.
Finding the latest updates on the Nortel Web site
The content of this documentation was current at the time the product was
released. To check for updates to the latest documentation and software for VPN
Router, click one of the following links:
NN46110-602
Link to Takes you directly to the
Latest software Nortel page for VPN Router software located at:
www130.nortelnetworks.com/cgi-bin/eserv/cs/
main.jsp?cscat=SOFTWARE&resetFilter=1&poid
=12325
Latest documentation Nortel page for VPN Router documentation
located at:
www130.nortelnetworks.com/cgi-bin/eserv/cs/
main.jsp?cscat=DOCUMENTATION&resetFilter=
1&poid=12325
Preface 23
Getting help from the Nortel Web site
The best way to get technical support for Nortel products is from the Nortel
Technical Support Web site:
www.nortel.com/support
This site provides quick access to software, documentation, bulletins, and tools to
address issues with Nortel products. From this site, you can:
• download software, documentation, and product bulletins
• search the Technical Support Web site and the Nortel Knowledge Base for
answers to technical issues
• sign up for automatic notification of new software and documentation for
Nortel equipment
• open and manage technical support cases
Getting help over the phone from a Nortel Solutions Center
If you do not find the information you require on the Nortel Technical Support
Web site, and you have a Nortel support contract, you can also get help over the
phone from a Nortel Solutions Center.
In North America, call 1-800-4NORTEL (1-800-466-7835).
Outside North America, go to the following web site to obtain the phone number
for your region:
www.nortel.com/callus
Getting help from a specialist by using an Express Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express
Routing Code (ERC) to quickly route your call to a specialist in your Nortel
product or service. To locate the ERC for your product or service, go to:
www.nortel.com/erc
Nortel VPN Router Troubleshooting
24 Preface
Getting help through a Nortel distributor or reseller
If you purchased a service contract for your Nortel product from a distributor or
authorized reseller, contact the technical support staff for that distributor or
reseller.
NN46110-602
New in this release
The following section details what is new in Nortel VPN Router Troubleshooting
for Release 7.0.
Features
See the following sections for information about feature changes:
• SNMP traps when an IP address pool reaches the configured threshold
• Automatic backups
• PCAP enhancements
• SNMP interface index enhancement
SNMP traps when an IP address pool reaches the configured threshold
25
You can configure the VPN Router so that a Simple Network Management
Protocol (SNMP) trap sends a notification about an exhausted pool when a
defined IP address pool reaches a configured limit. The list of IP address pools is
periodically traversed and sends a trap if any pool is over the quota. You can set
the limit and the default is 70%.
For more information about trap notification when the IP pool reaches a certain
capacity, see “Configuring SNMP traps to send notification when an IP address
pool reaches the configured threshold” on page 32.
Nortel VPN Router Troubleshooting
26 New in this release
Automatic backups
You can now back up a file or a directory, as well as trigger a backup, when a file
changes. Previously, you could only back up system, configuration, and log files.
You can use either the graphical user interface (GUI) or the command line
interface (CLI) to configure automated backup.
You can also now use a Secure File Transfer Protocol (SFTP) client as well as File
Transfer Protocol (FTP) to transfer backup files. You can use either the GUI or the
CLI to activate SFTP.
For more information about automatic backups, see “Automatic backups” on
page 52.
PCAP enhancements
You can now capture packets to disk files. Previously, you could capture packets
to random access memory (RAM) only. There are five new commands for the
command line interface (CLI) of the VPN Router. You must use the CLI to
configure Packet Capture (PCAP).
SNMP interface index enhancement
NN46110-602
For more information about PCAP enhancements, see “Capturing packets to disk
file” on page 113.
Third-party network management systems (NMS) rely on interface index
(IfIndex) numbers to monitor and gather statistics for devices through SNMP.
These locally significant numbers are assigned to the physical and virtual
interfaces on the device and enable the NMS to associate statistics with interfaces.
Previously, when a branch office tunnel came up, it was assigned a dynamic
IfIndex number. Only up tunnels were reported; any down tunnels were not
reported.
With the enhancement, each branch office is assigned a static IfIndex, the IfIndex
is saved in LDAP, and tunnels are reported even when they are down.
For more information about the IfIndex enhancement, see “RFC 1213—Network
Management of TCP/IP-Based Internets MIB” on page 132.
Chapter 1
VPN Router administration
This chapter introduces administrator settings, tools, system configuration, and
file management. It also includes information about SNMP traps.
Administrator settings
The VPN Router supports multiple administrators. You can assign different rights
to allow or prevent administrative users from managing or viewing the VPN
Router and user configuration information. You assign administrative privileges
and rights on the Profiles > User > Edit window. The VPN Router also supports a
primary administrator.
You can assign one of the following priviledge levels to the Manage Switch and
Manage Users:
27
• None—This user does not have administrator rights to manage the VPN
Router or to manage users; the user cannot view or manage configuration or
user settings.
• View—This user has administrator rights to view (monitor) VPN Router
configuration or user rights settings; however, the user cannot manage
(change) them. This is the lowest level of administrator rights.
• Manage—This user has administrator rights to view (monitor) and manage
(configure) other VPN Router configuration or user rights settings. This is the
highest level of administrative rights.
• Add Subgroups is a check box that gives the user the authority to add and
delete subgroups under the given directory when the user has View only
authority with Manage Switch access rights.
Nortel VPN Router Troubleshooting
28 Chapter 1 VPN Router administration
You use the Administrator Settings window to do the following:
• change the primary administrator user ID and password
• control the Administrator Idle Timeout Setting for all administrators
• control the default language
• control the serial port settings
There is only one primary administrator. The primary administrator user ID and
password combination do the following:
• provide the user with access to all windows and control settings
• allows access to the serial port and the recovery disk
Note: Once you set the primary administrator user ID and password,
you must implement an Admin > Shutdown to save the new settings.
Doing a reset (using the Reset button on the back of the VPN Router)
does not save the settings.
You can change the primary administrator user ID and password on the Admin >
Administrator window.
Lost user name and password—resetting the VPN Router to
factory defaults
NN46110-602
You can set the VPN Router back to the factory default configuration even if you
do not know the administrator username and password. To do this:
1 Boot the VPN Router into recovery mode.
2 Open a browser to the management IP address of the VPN Router. You do not
need a user name and password for this step.
3 Reset to factory default. After you reset to factory default, the administrator
user name is admin and the password is setup.
Caution: Resetting to factory default removes all existing configuration
information.
Dynamic password
Two types of administrative users exist on the VPN Router:
• one super-user (Administrator)
• as many administrative users as needed
There is dynamic password support for administrative users only. The
Administrator still requires a static password.
RADIUS manages the dynamic password. The external RADIUS service acts as
an intermediary between the VPN Router and the dynamic password
authentication system.
To configure a dynamic password:
1 Select Profiles > Users and click Add User.
2 Under Administration Privileges, select Dynamic Authentication.
When enabled, this forces administrative users to authenticate through
RADIUS, which then forwards authentication credentials to a dynamic
password authentication system, such as SecurID. The privileges associated
with this administrative user are configured as before.
Chapter 1 VPN Router administration 29
Tools
The VPN Router supports standard IP tools such as ping, Traceroute, and ARP
show and delete. You access these tools through the Admin > Too ls wi nd ow.
The
ping command generates an ICMP echo-request message, which any host
can send to test node reachability across a network. The ICMP echo-reply
message indicates that the node is successfully reached.
Nortel VPN Router Troubleshooting
30 Chapter 1 VPN Router administration
The Traceroute tool measures a network round-trip delay. Messages are sent per
hop and the wait occurs between each message. If the address is unreachable, it
uses the following formula to determine how long it takes for the Traceroute to
time out.
maximum hops (30) x the wait timeout (5) x 3 seconds
The Address Resolution Protocol (ARP) dynamically discovers the low-level
physical network hardware address that corresponds to the high-level IP address
for a host. ARP is limited to physical network systems that support broadcast
packets that are heard by all hosts on the network.
System configuration
Use the Admin > Config window to save the current or delete existing system
configuration files. Additionally, you can select one of the previously named
configurations and restore it as the current configuration.
File management
Use the Admin > File System > File System Maintenance window to navigate
through the VPN Router file system. This window lists the devices (drives) and
directories, which provides flexibility in viewing details of a file or directory and
allows you to delete unnecessary files. For example, if you have problems
performing an FTP transfer with a specific file, you can view the file details to
learn its file size and when it was last modified for troubleshooting purposes.
Additionally, you can toggle between hard drives when a backup drive is
available.
NN46110-602
Chapter 1 VPN Router administration 31
Simple Network Management Protocol (SNMP)
Use the Admin > SNMP window to do the following:
• designate the remote SNMP management stations that are authorized to send
SNMP Gets to the VPN Router
• enable specific MIBs
Note: A Nortel proprietary MIB is included on the Nortel CD. Click the
CesTraps.mib file to load the MIB. See Appendix A, “MIB support,” for
a description of the CesTraps.mib.
SNMP counters measure packet attributes based on the outer IP header. The inner
IP header does not contribute to the SNMP MIB counters. For example, the outer
packet header can be good and counted, but if the inner packet header is corrupted,
it does not contribute to the drop counter.
You can view the results of SNMP traps on the Health Check window.
Use the Admin > SNMP Traps window to generate SNMP Version 1 traps, based
on MIB II. From the SNMP Traps window, you can do the following:
• designate the remote SNMP trap hosts that can receive traps from the VPN
Router
• select the specific traps that you want the SNMP hosts to receive
• configure a trap to be sent only once
To enable traps, select one of the following trap groups from the SNMP Traps
window:
• hardware
•server
• service
• standard IETF
• attack
Nortel VPN Router Troubleshooting
32 Chapter 1 VPN Router administration
The traps displayed on the group windows—in particular the Hardware Trap
Configuration and the Service Trap Configuration windows—reflect the hardware
and software available on your VPN Router. For example, if you have a VPN
Router with no WAN interface cards, the traps for WAN interfaces do not appear
on the Hardware Trap Configuration window.
Note: The Health Check window reports the results of many of the
selections you make on the SNMP Traps window.
Most of the traps the VPN Router sends to configured trap hosts are also displayed
on the SNMP Traps window. However, the SNMP Traps window does not display
certain traps, including traps related to the status of branch office tunnels, due to
space limitations. For example, when a physical interface status changes, many
traps are sent reporting the failure of all the tunnels using this interface. The VPN
Router sends all traps—whether they appear on the SNMP Traps window—to the
SNMP management application specified as the trap destination.
Configuring SNMP traps to send notification when an IP address pool reaches the configured threshold
NN46110-602
You can configure the VPN Router to make an SNMP trap send a notification
about an exhausted pool when a defined IP address pool reaches a configurable
limit. The VPN Router periodically traverses the list of IP address pools and sends
a trap if any pool is over the quota. You can set the limit and the default is 70%.
To configure an SNMP trap to send a notification about an exhausted IP address
pool:
1 To capture the traps, you must first define and enable a target host. To do that,
select Admin > Snmp Traps.
The Admin > SNMP Traps window appears.
Chapter 1 VPN Router administration 33
Figure 1 Admin > SNMP Traps window
2 Enter a host name or IP address in the Host Name or IP Address text box.
3 Enter a name in the Community Name text box.
4 Click Enable.
5 Click OK.
6 Under the Tr ap Grou p s section on the SNMP Traps window, click
Configure beside Service.
7 Click OK.
The Service Trap Configuration window appears.
8 Click Enable for User IP Address Pool.
9 Click OK.
The Address Pool window appears.
10 In the Address Pool Exhausted Amount text box, enter the limit of an IP
pool that triggers an SNMP trap. The range is from 50 to 99 and the default is
70.
11 In the Address Pool Blackout Interval, enter in seconds the amount of time
before an address is available for reissue. The default is 10.
12 Click OK.
You can also use the CLI to configure an SNMP trap to send a notification about
an exhausted IP address pool.
To configure the interval:
CES(config)#$enable traps service ip-pool-exhausted interval
<hh:mm:ss> [send-one]
Nortel VPN Router Troubleshooting
34 Chapter 1 VPN Router administration
To configure the amount:
CES(config)#ip local pool exhausted-amount <amount>
NN46110-602
Chapter 2
Status and logging
The Status windows show which users are logged on, their traffic demands, and a
summary of the VPN Router’s hardware configuration, including available
memory and disk space.
The status windows include:
• Sessions
•Reports
•System
• Health check
• Statistics
• Accounting
The VPN Router has the following logs that provide different levels of
information:
35
• Security log
• Config log
• System log
•Event log
The logs are stored in text files on disk and they indicate what happened, when,
and to which user (IP address and user ID).
The event log captures real-time logging over a relatively short period of time (for
example, the event log can wrap 2000 possible entries in minutes). The system log
captures data over a longer period of time, up to 61 days.
Nortel VPN Router Troubleshooting
36 Chapter 2 Status and logging
Most events are sent to the event log first. Significant events from the event log are
sent to the system log. (Not all data that the system log saves comes from the
event log.) From the system log, the VPN Router filters security entries for the
security log and configuration entries for the configuration log. You can use the
different log options to write specific event levels to the log files and view them,
including:
•Normal
•Urgent
•Detailed
•All
Sessions
You can monitor which users are tunneled into the VPN Router, when they logged
in, and the number of bytes and packets they transmitted or received. Additionally,
you can see selected session details, and you can log off users.
Reports
NN46110-602
Once a session is connected, detailed information about the connection is
available from the Status > Sessions window. This window lists all connected
sessions, including administrative sessions. As well as statistics, this information
contains what encryption was negotiated and the SOIs of the security associations.
Click the appropriate buttons beside each session to either log out of the session or
view detailed information about it.
Use the Status > Reports window to view system and performance data in text or
graphical format. You generate reports in an on-screen tabular format, and you can
import the reports into a spreadsheet or database through the comma-delimited
format.
At midnight (12:00 a.m.), the data collection task performs summary calculations
and rewrites history files, along with other management and cleanup functions. To
perform this task, leave the VPN Router running overnight. The VPN Router must
be running at midnight to generate a historical graph for the day.
If you have multiple VPN Routers throughout the world, use the Greenwich Mean
Time (GMT) standard to synchronize the various log files so that the timestamps
are directly comparable.
System
The Status > System window shows the VPN Router’s up time, software and
hardware configurations, and the current status of key devices. When there is a
pending shutdown or an Internetwork Packet Exchange (IPX) public network
address change that requires a reboot, the top of this window list these events.
Health check
The Status > Health Check window provides an overall summary of the current
state of the VPN Router’s hardware and software components at a glance. It lists
all aspects of unit operation, with the most critical information to check at the top
of the window. Click the link on the right side of the window to go directly to the
window for configuration of that feature.
Chapter 2 Status and logging 37
Statistics
The Status > Statistics window provides many subwindows with a wealth of
general and diagnostic information about the system hardware, software, and
connections. Much of the information is specifically designed for Nortel
Customer Support personnel to assist them in diagnosing problems. Some
windows, however, such as the LAN Counters, Interfaces, and WAN Status
windows, provide you with traffic information. Use the Status > Statistics window
to see text displays of system-level statistics to resolve lower-level problems with
connections. These displays are similar to command-line output from the
operating system.
In normal operation and routine troubleshooting, it is not necessary to examine
many of these windows. Some of the information, such as routing information, is
also available through other windows, such as System > Routing.
Nortel VPN Router Troubleshooting
38 Chapter 2 Status and logging
Accounting
The accounting log provides information about user sessions. This log provides
last and first names, user ID, tunnel type, session start and end dates, and the
number of packets and bytes transferred. You can use most of these fields to
search the log.
Accounting records
Accounting records are detailed logs that record the various activities performed
by the VPN Router. The logs are directly available from the management
interface and you can export them to other applications for additional processing.
The VPN Router gathers and stores data about the current state of the VPN Router
and the connections. The data is stored in files on the VPN Router’s hard drive.
• Session Status: RADIUS Accounting—the VPN Router stores copies of
RADIUS accounting records. These records, which you can retrieve through
FTP or send to a RADIUS server, contain information about each VPN
session initiated to the VPN Router.
• System Data: Data Collection Task—The data collection task runs on the
VPN Router and gathers data about the system’s status. Each minute, the task
captures data and writes it to a data file. You use the information the task
captures to create the graphs and reports available from the Status > Reports
window.
NN46110-602
Note: The results of accounting record searches can be incorrect if
another administrator initiates a new search before the first search is
completed. Therefore, ensure that not more than one administrator is
searching accounting records at one time.
The data collection system stores records in text-based files stored in the system/
dclog subdirectory. The system stores the most recent 60 days of data. The system
stores daily files, summary files, and summary history files. Ongoing
administration tasks include monitoring the configuration files, backing up and
restoring the VPN Router or the LDAP database, and upgrading images and
clients.
Note: The VPN Router does not sort accounting records and displays
them in a random order.
RADIUS accounting
The VPN Router stores copies of RADIUS accounting records and normally
sends these records to a standard RADIUS Accounting server. To configure a
RADIUS accounting server, select Servers > RADIUS Acct.
To view the information in the standard RADIUS accounting records, select
Status > Accounting. The VPN Router creates a file for each day and keeps the
most recent 60 days of data, storing them in the SYSTEM/ACCTLOG directory.
Chapter 2 Status and logging 39
Note: The Status > Accounting window can provide misleading branch
office session information because it displays rekeyed branch office
tunnels as separate entries. The VPN Router does not send RADIUS
accounting records to external servers for branch office connections.
Data collection task
The VPN Router runs the data collection task runs and gathers data about the
system’s status. The task captures data every minute and writes it to a data file.
The VPN Router uses the information this task captures to create the graphs and
reports available from the Status > Reports window and stores this information in
text-based files in the system/dclog directory. The VPN Router creates the
following types of files in the this directory:
• Daily files that contain interval records gathered every 60 seconds. These
values are interval values and there is a file for each day (for example
20040622.DC).
Nortel VPN Router Troubleshooting
40 Chapter 2 Status and logging
• Summary file that always has exactly five records containing summary data in
a file called summary.dc. These values are used to give historical graphs and
reports about specific values.
• Summary history file that contains records representing cumulative daily data
for the most recent 60 days in a file called summs.dc. Each day’s summary is
represented by four records. These records are for the current, total, average,
and maximum values for the day.
A data collection record consists of 16 pairs of entries for each data collection
object currently being collected. Each value pair consists of a Field ID and an
integer value. The following is a sample data collection record:
0-930057960,1-3,2-3,3-0,4-0,5-0,6-0,7-0,8-0,9-0,10-56,11-76,12-1,13-11021,1440,15-38,16-0
Tabl e 1 lists the field IDs that are currently implemented.
Table 1 Field IDs for data collection records
Field
identification
0
1
2
3
4
5
6
7
8
9
Collected field value Description
TIMESTAMP Seconds since Jan 1, 1970 - 00:00:00
Hours
TOTALSESSIONS Summary of all sessions
ADMINSESSIONS Number of Admin sessions
PPTPSESSIONS Number of PPTP sessions
IPSECSESSIONS Number of IPsec sessions
L2FSESSIONS Number of L2F sessions
L2TPSESSIONS Number of L2TP sessions
IPADDRESSUSE Percentage of total IP addresses in use
CPUUSE Unfiltered CPU usage measurement
{integer representing a percent between
0 and 100}
CPUSMOOTH Filtered CPU usage measurement
{integer representing a percent between
0 and 100}
NN46110-602
Chapter 2 Status and logging 41
Table 1 Field IDs for data collection records (continued)
Logs
Field
identification
10
11
12
13
14
15
16
17
Collected field value Description
MEMUSE Filtered memory usage measurement
{integer representing a percent between
0 and 100}
BOXPACKETSIN Number of Inbound Packets
BOXPACKETSOUT Number of Outbound Packets
BOXBYTESIN Number of Inbound bytes
BOXBYTESOUT Number of Outbound bytes
BOXDROPPEDPACK
Number of discarded packets
ETS
FAILEDAUTHATTE
MPTS
Number of failed authentication
attempts
LASTFIELDID (this
field is never written to
data record)
The VPN Router has several logs that provide different levels of information. The
logs are stored in text files and indicate what happened, when the event occurred,
and the IP address and user ID of the person causing the event.
Event log
The event log is a detailed recording of all events that take place on the system.
These entries are not necessarily written to disk, as with the system log. The event
log retains all system activity in memory, but you must configure the system to
save the event log either automatically or in a specified file.
The event log includes information on tunneling, security, backups, debugging,
hardware, security, daemon processes, software drivers, and interface card driver
events.
Nortel VPN Router Troubleshooting
42 Chapter 2 Status and logging
As the event log adds information, the oldest entries are overwritten. The event log
retains the latest 2000 entries and discards old entries when it is refreshed.
To configure event logging:
1 Select Status > Event Log.
The Event Log window appears. (Figure 2)
Figure 2 Event logs
NN46110-602
2 In the Save Events to section, enter a filename and click Save to manually
save the current event log at any time.
3 In the Auto Save Events to section, select the maximum number of files that
you want to save and click Enabled to automatically save the event log.
4 The Capture and Display filters are hidden by default. Click Show to view or
configure the capture and display filter capabilities. (Figure 3)
Figure 3 Capture and display filters
Chapter 2 Status and logging 43
5 You configure the capture filter and display filter using Entity-Subentity or
Severity. To configure the capture filter or display filter:
a Click Configure Capture Entity or Configure Display Entity. Figure 4
shows the Configure Display Entity window.
Nortel VPN Router Troubleshooting
44 Chapter 2 Status and logging
Figure 4 Configure Display Entity
b Select an Entity from the list.
c Select a Subentity from the list.
d Click Add to add the selected entity-subentity pair to the filter.
e Click Accept to complete your changes to the filter.
NN46110-602
f Click Remove to delete a selected item from the list.
g Click Configure Capture Severity or Configure Display Severity to
configure the level of severity that you want to display on the window
from the log.
h Select a severity message from the Severity list and click Add to add it to
the Captured Severity list or Displayed Severity list. Select Remove to
remove a selected item currently in the Severity list.
i Click Accept to save any changes you make.
6 To sort the log based on key word matches, enter a list of key words, separated
by a space or a comma.
7 Select the type of match you want. Select AND to match all key words. Select
OR to match any key words.
8 Click Clear to clear the entire log. Only Administrators can clear the log.
9 Click Refresh to display new log entries.
10 Click Reverse Chronological Order to log in reverse chronological order.
System log
The system log contains all system events that are considered significant enough
to be written to disk, including those displayed in the configuration and security
logs. Events that appear in the system log include:
• LDAP activity
• configuration activity
• server authentication and authorization requests
The following is the general format of the log entries:
• time stamp
• task that issued the event (tEvtLgMgr, tObjMgr, tHttpdTask)
• number that indicates the CPU that issued the event (0=CPU 0, 1=CPU 1)
• software module that issued the event
• priority code assignment (number in brackets) (for a description of these
codes, see “Event log” on page 41)
• indicates that the packet matched the rule in the listed section
• indicates the matching packet source, destination, protocol, and action
configured for that rule
Chapter 2 Status and logging 45
The following example shows a system log:
11:29:31 tEvtLgMgr 0 : CSFW [12] Rule[OVERRIDE 1]Firewall:
[192.32.250.204:1024-10.0.18.12:2048, icmp], action: Allow
Security log
The Security log records all activity about system or user security. It lists all
security events, both failures and successes. The events can include:
• authentication and authorization
• tunnel or administration requests
• encryption, authentication, or compression
• hours of access
• number of session violations
Nortel VPN Router Troubleshooting
46 Chapter 2 Status and logging
• communications with servers
•LDAP
• Remote Authentication Dial-In User Service (RADIUS)
Configuration log
The Configuration log records all configuration changes. For example, it tracks
adding, modifying, or deleting the following configuration parameters:
• group or user profiles
• LAN or wide area network (WAN) interfaces
• filters
• system access hours
• shutdown or startup policies
• file maintenance or backup policies
NN46110-602
Chapter 3
Administrative tasks
This chapter describes administrative tasks that help you operate the VPN Router.
These tasks provide details on scheduling backups, upgrading the software image,
saving configuration files, performing file maintenance, creating recovery
diskettes, and system shutdown.
Shutdown
You use the Shutdown options to shut down immediately, to wait until current
users are logged off, or to wait until a designated time. A normal shutdown safely
terminates connections so that no data is lost, compared with a spontaneous loss
of power.
Additionally, you can select whether to power off or restart after shutdown and
which configuration file to use upon restarting. To conduct an orderly shutdown,
you can disable new logins, and you can disable logins after the shutdown to
perform system maintenance.
47
Always use the Admin > Shutdown window to shut down the system rather than
the Power or Reset buttons on the back of the VPN Router. This ensures the
integrity of your file system.
Note: After performing a system shutdown, click Reload/Refresh to
see the latest VPN Router information.
Nortel VPN Router Troubleshooting
48 Chapter 3 Administrative tasks
Recovery
In the unlikely event that there is a hard disk crash, use the Recovery window to
configure a recovery diskette to restore the software image and file system to the
hard drive of the VPN Router. The recovery diskette is included with your VPN
Router. You can also use this window to create additional copies of the recovery
diskette, as well as to reformat a diskette.
Note: The VPN Router 1000, 1010, 1050, and 1100 do not have a
floppy drive in the unit. Although the VPN Router 600 does not have a
floppy drive, the recovery image is stored in a PROM and you can
invoke it by pressing a switch on the back of the unit.
Accessing the diskette drive
If the VPN Router has a front cover, you must remove it to gain access to the
diskette drive. See the installation guide for details on how to remove the front
cover. Booting the VPN Router with the recovery diskette does the following:
Using the recovery diskette
NN46110-602
• reformats the hard disk
• allows FTP access to the hard disk
• restores the previously backed-up software image and file system from a
backup host to the hard disk
• downloads a new factory default software image and file system from a file
server to the hard disk
These utilities are accessed throught Hypertext Transfer Protocol (HTTP) after it
is booted from the recovery diskette.
To use the recovery diskette:
1 Remove the VPN Router’s front cover.
2 Insert the recovery diskette into the drive and press Reset on the back of the
VPN Router.
This supplies a minimal configuration utility so that you can view the VPN
Router from a Web browser.
3 In the Web browser, enter the management IP address of the VPN Router.
The Recovery Diskette window appears, which you can use to:
— restore the factory default configuration or the backup configuration
— reformat the hard disk
— apply a new software version to the VPN Router
— perform file maintenance
— view the Event log
— restart the system
Figure 5 Recovery Diskette window
Chapter 3 Administrative tasks 49
4 To restore the factory default configuration or the backup configuration, select
the hard disk drive to which you want to restore the system files, either ide0
(drive 0) or ide1 (drive 1), and then do one of the following:
Nortel VPN Router Troubleshooting
50 Chapter 3 Administrative tasks
• Select Restore Factory Configuration, then click Restore to return the VPN
Router to its original factory default configuration. This erases data contained
in flash memory and also in the configuration file.
Warning: Selecting this option requires you to rebuild your entire
configuration from scratch.
An online message specifies the result of the Factory Configuration reset
action.
• Click Restore to restore the VPN Router’s previously backed-up
configuration. If you previously chose to automatically backup the file
systems, then the backup server host (or IP address) and path name, user ID,
and password appear in the table.
Check Partial Backup if you want to restore the configuration files, log files
or system files from a previous partial backup. The system restores the
corresponding directory or files.
Select the preferred backup server. The latest backup copy of the file system,
including software image and configuration files, is restored to the hard drive
of your VPN Router.
NN46110-602
You can use the same backup server for multiple VPN Routers. Each VPN
Router creates a unique directory based on its serial number. The following
example shows the host, path, and serial number (where the serial number
[SN] is five digits):
C:/software/backup/v101/SN01001
You can use the serial number to differentiate backup configurations from
multiple VPN Routers that are saved on the same backup server. The serial
number uniquely identifies each VPN Router’s backup data.
If you did not configure automatic backup server locations, use the blank row
in the server backup field to manually enter a backup server.
Note: FTP servers are often different, so check for information in your
server documentation about setting paths that can help you with the
upgrade procedure.
Chapter 3 Administrative tasks 51
You can use a new factory default software image and file system to restore
the VPN Router’s hard disk. Specify the name or address and path of the
network file server onto which the software from the Nortel CD is installed.
Note: This restores the disk to an operable but clean condition (for
example, configuration values are at factory defaults).
To view the serial number when the VPN Router is operational, select Status
> System. The Serial Number is also on the bar code label on the back of the
VPN Router.
5 Click Reformat Diskette if you must reformat the hard disk for one of the
following reasons:
— cannot restore your configuration due to problems that are not caused by
the network or the file/backup server from which the file restoration is
retrieved
— want to reconfigure the VPN Router from scratch
— install a new disk
Caution: Selecting this option completely wipes out anything that was
stored on the hard disk.
An online message indicates whether the reformatting of the hard disk is
successful.
6 Select the image version that you want to activate from the list of available
software image and file systems stored on the hard disk.
7 Click Apply to apply the new version and reboot automatically. Changes are
active. The VPN Router boots to that version until changed.
8 Click Files to bring up the File Maintenance window, which allows you to
view the entire hard disk file system.
9 Click View to display the Event Log beneath the Recovery Diskette window.
This is especially useful if a Restore operation fails.
10 To set the boot disk, select either ide0 (drive 0) or ide1 (drive 1).
11 Click Set.
Nortel VPN Router Troubleshooting
52 Chapter 3 Administrative tasks
12 Click Synchronize to immediately synchronize the primary and secondary
disks. Thereafter, the disks automatically synchronize every hour.
13 From the list, select the drive on which you want to upgrade the system boot
software.
14 If the system boot sector is corrupted, click Upgrade to rewrite the boot
software to the hard disk.
15 To restart the system, remove the diskette and press Reset on the back of the
VPN Router. Reposition your Web browser to the Management IP address,
and select Reload or Refresh from your browser menu to access the
management window of the software running on the hard disk.
Note: You cannot use this procedure for the VPN Router 1000 due to
the lack of a floppy drive in the unit. Although the VPN Router 600 does
not have a floppy drive, the recovery image is stored in a PROM; you
can invoke it by pressing a switch on the back of the unit.
Automatic backups
NN46110-602
The VPN Router checks at regular intervals to see whether there are any system
file changes. When system file changes occur, they are written to each of the
backup servers. The VPN Router backs up all of the system files the first time;
thereafter, it backs up only the files that change.
Note: Any changes made to backup parameters while a backup is in
process do not take effect until the currently running backup is complete.
The VPN Router does not begin a backup for at least 5 minutes after rebooting to
allow all resources to start operating. This delay occurs even if you request that a
backup start immediately. Use the Admin > Auto backup window to configure
regular intervals or specific times when your system files are saved to designated
host backup file servers. You can designate up to three backup file servers.
You must create a directory on the File Transfer Protocol (FTP) or Secure File
Transfer Protocol (SFTP) server before running automatic backup. If you specify
a path in the Admin > Auto backup window and the directory does not exist on the
FTP or SFTP server, the automatic backup fails and The host path does not exist
message is logged in the Event log.
Note: Automatic backup does not recognize a path beginning with the
slash (/) character as it did in previous releases.
Using the GUI for automatic backup
You can use the CLI to transfer backup files through SFTP or to trigger a backup
when a file or directory changes.
Transferring backup files through SFTP
You can now use an SFTP client to transfer backup files. Previously, you could
use only FTP.
Chapter 3 Administrative tasks 53
Note: To transfer backup files using SFTP, you must first configure a
remote Secure Shell (SSH) server.
To transfer backup files using sftp:
1 Select Admin > Auto Backup.
2 In the Automatic Backup File Servers section, click the sftp check box for a
particular server. FTP is the default.
Triggering a backup when a file or directory changes
You can trigger an automatic backup when a new file is created in a particular
directory, or when a file or a directory changes. The VPN Router checks at regular
intervals to see whether changes occur. These changes are written only to the
backup server you specify. You can optionally delete that file after the backup is
complete.
Nortel VPN Router Troubleshooting
54 Chapter 3 Administrative tasks
To enable automatic backup when a file or a directory changes:
1 Select Admin > Auto Backup.
The Automatic Backup window appears. (Figure 6)
Figure 6 Automatic backup window
NN46110-602
2 Click Enabled to enable the associated host backup file server.
3 Enter the backup file server host name or IP address.
4 Enter the backup file server path, for example, test.
5 Click sftp to transport the backup files using an SFTP client. Do not select
SFTP if you want to use the default, FTP.
Note: To transfer backup files using SFTP, you must first configure a
remote SSH server.
6 To back up at a specific time, click Specific Time and enter the time that you
want the backup to occur in the Specific Time text box.
Chapter 3 Administrative tasks 55
7 To back up at certain intervals of time, click Interval and in the Interval text
box specify in hours the time period after which the system automatically
backs up changed files. The minimum interval is 1 hour, and the maximum is
8064 (336 days). The default is 5 hours.
8 If you chose either the Specific Time option or the Interval option, select the
Backup Days you want to trigger the specific backup.
9 Click Auto if you want to back up files only when the files change.
Note: Because the auto trigger works only with the Specific backup
option, select auto if you want to trigger the backup of a file found in the
path of the Specific backup whenever there is a change in a file.
10 In the User ID text box, enter the user ID that is required for either FTP or
SFTP logon to the backup file server.
11 In the Password text box, enter the password that is required for either FTP or
SFTP logon to the backup file server.
12 In the Confirm Password text box, reenter the password that is required for
either FTP or SFTP logon to the backup file server.
13 Click Configure Specific Backup.
The Specific Automatic Backup window appears. (Figure 7)
Nortel VPN Router Troubleshooting
56 Chapter 3 Administrative tasks
Figure 7 Specific Automatic Backup window
14 To see the list of files for a directory, highlight the name of a directory and
click Display.
NN46110-602
The files for that directory appear in the Files list.
15 To select the file that you want to back up, highlight the name of the file and
click Select.
The name of the file you selected appears beside File name.
16 To select the directory that you want to back up, highlight the name of the file
and click Select.
17 To overwrite a file, click Overwrite files at destination.
18 To delete files after they are backed up, click Delete files on VPN Router
after backup.
19 Click Apply to save the changes.
20 Select Admin > Auto Backup.
21 In the Backup Types section of Automatic Backup File Servers, click
Specific Backup for the server of your choice.
22 Click Backup to run the backup to each enabled server now. This action also
synchronizes the hard disk drives when there is more than one hard drive in a
device. Otherwise, the hard disks synchronize automatically every 60
minutes.
A new window appears with the backup information at the top of the window.
23 Click OK.
After entering the automatic backup file server information, click on the window
and press the keys Alt and Print Scrn (Screen) to save the screen image to a
buffer. Next, paste the image into a file (for example, into Microsoft* Word) and
keep it as a record of the backup file servers that you are using.
Using the CLI for automatic backup
Version 7.00 provides CLI commands for backing up a list of files and directories,
or directories, that changed on the VPN Router. The CLI command
backup
•
•
•
•
•
•
includes the following parameters:
specific—backs up specific files or directories only
file-path—backs up additional files or directories in a particular file path
auto—backs up the changes only to any file in a file path
overwrite—overwrites existing files on the host
delete—deletes files on the VPN Router after backup
sftp—uses SFTP to transfer the backup files
Chapter 3 Administrative tasks 57
exception
For more information about the command parameters, see Nortel VPN Router
Using the Command Line Interface.
Note: To transfer backup files using SFTP, you must first configure a
remote SSH server.
The following sections describe how to use the CLI commands. You must enter
the commands from CLI Global Configuration Mode. For more information about
the Global Configuration Mode, see Nortel VPN Router Using the Command Line
Interface.
Nortel VPN Router Troubleshooting
58 Chapter 3 Administrative tasks
Backing up specific files and directories
To back up specific files and directories, with the option to delete them after
backup, enter:
exception backup advanced {1 | 2 | 3} {full | partial | specific
[<file-path> ] [overwrite] [delete]}
For example, to set the target of the exception backup to a directory /ideX/system/
log, enter:
CES(config)# exception backup advanced 1 specific /ideX/system/log/
overwrite
Stopping the backup of specific files and directories
To stop the backup of specific files and directories, enter:
no exception backup advanced {1 | 2 | 3} {full | partial |specific
[overwrite] [delete]}
NN46110-602
For example, to stop the previous exception backup, enter:
CES(config)# no exception backup advanced 1 specific
Backing up changes to specific files or directories
To back up the changes for specific files or directories on a particular server, use
the auto option. The auto option works only with the specific backup type. Enter:
exception backup {1 | 2 | 3} {<ip-address> | <host-name>}
[<file-path>] auto username <user-name> password <password>
For example, to back up the files that changed on backup server number 1, enter:
CES(config)# exception backup 1 10.2.5.68 auto username admin
password setup
Chapter 3 Administrative tasks 59
Stopping the backup of changes to specific files or directories
To stop backing up the changes for specific files or directories for a particular
server, enter:
no exception backup advanced {1 | 2 | 3} specific
For example, to stop backing up files that changed in backup server number 1,
enter:
CES(config)# no exception backup advanced 1 specific
Using SFTP to transfer backup files
To use SFTP to transfer the backup files, from CLI Global Configuration Mode,
enter:
CES(config)# exception backup {1 | 2 | 3} sftp
For example, to use SFTP to back up the files that changed in backup server
number 2, enter:
CES(config)# exception backup 2 sftp
Stopping the transfer of backup files using SFTP
To use SFTP to stop the backup of files, from CLI Global Configuration Mode,
enter:
CES(config)# no exception backup {1 | 2 | 3} sftp
For example, to use SFTP to stop the transfer of files that changed in backup
server number 2, enter:
CES(config)#
For more information about the command parameters, see Nortel VPN Router
Using the Command Line Interface.
no exception backup 2 sftp
Nortel VPN Router Troubleshooting
60 Chapter 3 Administrative tasks
Disabling new logins
You can prevent clients from connecting to the VPN Router without affecting the
users currently connected by using this feature to disable new logins. When new
logins is disabled, no new IPsec connections are established.
To disable new logins:
1 Select Admin > Shutdown.
2 Click Disable new logins. (Figure 8)
Figure 8 Disable new logins
If you do not want to reboot the switch after you disable new logins, click
None in the System Shutdown section.
To disable new logins using the CLI, enter the following command:
CES# reload [at <hh:mm>] [boot-drive] [boot-normal | boot-safe]
[config-file] [power-off | restart] disable-logins
Upgrading the software
To upgrade the VPN Router, download the latest Nortel software using the File
Transfer Protocol (FTP). Because FTP servers are often different, check your
server documentation for information about setting paths that can help you with
the upgrade procedure.
You can download the latest software from:
NN46110-602
• Nortel Web site
• your own FTP site if you previously downloaded the software from the Nortel
FTP site
• Nortel software CD
If an FTP server does not use standard FTP port numbers, you cannot use it to
download FTP servers for Nortel software. For more information, contact Nortel
Customer support.
Note: You cannot upgrade the software through a branch office tunnel
that is translating the management address with dynamic Network
Address Translation (NAT).
If file retrieval fails, the VPN Router retries the transfer. The WU-FTP server does
not support this behavior and can cause the negotiation to fail. Explore
connectivity issues as the first possible level of failure.
Checking available disk space
Chapter 3 Administrative tasks 61
Nortel recommends that you keep a maximum of four software versions on the
system disk. If four versions already exist on the Admin
> Upgrade window, you
must delete one version before you download another version.
To remove a software version:
1 Select Admin
> File System.
2 Select the Hard Drive (/ide0/).
3 Click Display.
A list of the versions on the VPN Router appears.
4 Click the version you want to view and click Details. When the window
refreshes, you see the directory that you just selected. Click Delete Directory.
A new window appears verifying this is what you intended to do. If there is
more then one image on the hard drive, follow the above process to delete all
the older image upgrades.
Nortel VPN Router Troubleshooting
62 Chapter 3 Administrative tasks
Before you upgrade your software, use one of the following methods to make sure
there is enough available disk space:
• From the GUI, select Status > Statistics > File System. The last line lists the
free space on the disk.
• From the CLI, enter show status statistics system file-system. The last line
lists the free space on the disk.
Note: Some restrictions apply if you have a VPN Router 1010, 1050, or
1100. To export the configuration and LDIF files from the device, FTP
the files to a server and view the file size. If the combined size of the
LDIF and configuration files is less than 1Mbyte, you can upgrade to the
latest version. The VPN Router 1010, 1050, and 1100 allow a maximum
of two images on the flash disk. You must remove the second image (if
present) prior to downloading an upgrade.
Creating a control tunnel to upgrade from a remote location
To upgrade the software on a VPN Router from a remote location, you must
create a user control tunnel at the physical location of the VPN Router. User
control tunnels provide secure access to a remote VPN Router so that you can
manage it over a network.
NN46110-602
You can create a user control tunnel through the serial port on the VPN Router or
with the GUI. When you create a user under the group Control Tunnels, it
automatically becomes a control tunnel user. To create a user control tunnel
through the serial port:
1 Connect the serial cable (supplied with the VPN Router) from the VPN
Router’s serial port to a terminal or to the communications port on a PC.
2 Turn on the PC or the terminal.
3 On the PC, start HyperTerminal
*
or another terminal emulation program and
press Enter.
The Welcome window appears.
4 Enter the VPN Router administrator user name and then the password.
The serial main menu appears.
5 Ty pe 5 (Create A User Control Tunnel (IPsec) Profile).
6 Enter the user ID that you plan to use to log in remotely to the VPN Router.
7 Enter the password that you plan to use.
8 Enter the password again.
9 When you are prompted for an IP address, you can enter a static IP address
that is assigned to the user during the control tunnel connection. If an address
pool is configured, you do not need to enter a static IP address.
Go to the next section, “Creating a recovery diskette” on page 63.
Creating a recovery diskette
Before you upgrade the VPN Router, create a recovery diskette. You must
perform this task on the VPN Router itself. To create a recovery diskette:
1 Insert a blank diskette into the floppy drive.
2 Select Admin > Recovery and click Create Diskette.
Chapter 3 Administrative tasks 63
Note: If you have a diskless system, for example, a VPN Router 1100,
the recovery image is stored in flash memory.
Backing up system files
Before you upgrade, verify that a recent automatic backup was done in one of the
following methods:
1 If you are located at a remote site, connect to the VPN Router through a tunnel
(branch office or user control).
2 Select Admin > Auto Backup and ensure that a recent automatic backup was
performed to an FTP server.
3 If a recent backup does not exist, use the following steps to create the backup
on the Automatic Backup window:
a Enter an IP address or host name, path, interval, FTP user ID, and
password.
Nortel VPN Router Troubleshooting
64 Chapter 3 Administrative tasks
b Click Backup to start the backup immediately.
This saves your entire hard drive, including the LDAP and configuration files.
Retrieving the new software
For Version 4.80 and later, the VPN Router release image is available in a
compressed .zip file so that each individual file does not download separately. The
VPN Router decompresses the image as it retrieves it. You must then apply the
new image.
To use the compressed zip file:
1 Place the zip file (for example, V04_80.114.tar.gz) on the FTP server that you
are using for the upgrade.
D:\ftp>dir
Volume in drive D has no label.
Volume Serial Number is 9B29-6769
Directory of D:\ftp
06/18/2003 01:20p <DIR> .
06/18/2003 01:20p <DIR> ..
06/18/2003 06:53a 31,779,808 V04_80.069.tar.gz
NN46110-602
Note: Do not attempt to create your own zip archive. Use the .tar.gz file
distributed by Nortel.
2 Select Admin > Upgrades.
3 Fill in the following fields on the Upgrades window:
• Host: type the IP address or the name of the machine where the new
software is located.
• Path: type the directory path location of the new software. The path value
is the relative location of the .gz file from the FTP root in the directory. In
the example below, the V04_80.069.tar.gz file is located at the root of the
FTP directory.
• Version: type the exact name of the code that you are upgrading to (for
example, V04_80.114).
Figure 9 shows an example upgrade to V04_80.114 from server
192.32.250.64. The file V04_80.114.tar.gz must be located at the root of
the FTP directory.
Figure 9 FTP menu example
When you FTP to the FTP server from another PC, you see the location of
the file.
D:\ftp>ftp 192.32.250.64
Connected to 192.32.250.64.
220 entrust-ca Microsoft FTP Service (Version 2.0).
User (192.32.250.64:(none)): anon
331 Password required for anon.
Password:
230 User anon logged in.
ftp> ls V04_80.069.tar.gz
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
V04_80.069.tar.gz
226 Transfer complete.
ftp: 19 bytes received in 0.62Seconds 0.03Kbytes/sec.
ftp>
Chapter 3 Administrative tasks 65
If you want to locate the tar file in a subdirectory on the FTP server, you
must prepend the subdirectory to the path.
Figure 10 shows an example with the tar file located in the images
directory under the FTP root.
Figure 10 FTP menu with subdirectory example
Nortel VPN Router Troubleshooting
66 Chapter 3 Administrative tasks
• User ID: type the login ID required to gain access to the FTP server where
the new VPN Router software is located.
• Password and Confirm Password: type the password (twice) that
corresponds to the user ID you just entered.
4 After filling in all the required fields, click Retrieve new version to disk. The
New version retrieval window displays the progress of your download and
indicates whether the retrieval was successful.
5 When the retrieval of the zipped image is complete, you can apply the new
version from the list.
Before completing the upgrade
During the Apply process of upgrading to a new version of code, the VPN Router
copies files from your current version of software to the new version before the
VPN Router is rebooted. Because processes are still running, the copying of files
can potentially cause file access problems.
To minimize the possibility of file access problems after the upgrade, Nortel
recommends that you perform the following steps.
NN46110-602
1 Disable new logins. See “Disabling new logins” on page 60 for the procedure.
2 Log off all active tunnel sessions.
a Select Status > Sessions.
b Scroll to the bottom of the window and click both Log Off buttons to log
off all non-administrative users and all branch office connections.
Note: These sessions are logged off during the Apply process
3 Disable RADIUS accounting.
a Select Servers > RADIUS ACCT and disable all of the following
options:
— Internal RADIUS Accounting
— Interim RADIUS Accounting Record
— Response Timeout for RADIUS Accounting Server
— External RADIUS Accounting Server
b Click OK.
Applying the software
After you start the apply process, do not make any queries on the VPN Router.
Queries try to access files and can cause problems during the upgrade process.
To apply the new software:
1 Select Admin > Upgrades.
2 From the Apply New Version list, select the software version that you just
downloaded.
3 Click Apply to start the upgrade process.
After you upgrade the software
Chapter 3 Administrative tasks 67
After the VPN Router reboots itself with the upgraded software, follow these
steps:
1 Wait 2 minutes after the reboot before you run queries to make sure that all
startup processes had time to read the files they need.
2 If you are managing the VPN Router remotely, connect to the VPN Router
over a user control tunnel.
3 Clear the cache on your browser and close all browser windows.
4 Restart your browser, log on to the VPN Router, and navigate to Status >
System. Check the Software Version field to verify that the new software
version is applied.
5 Select Admin > Shutdown and deselect Disable new logins.
Caution: If you do not follow the next step, the VPN Router shuts
down.
Nortel VPN Router Troubleshooting
68 Chapter 3 Administrative tasks
6 Select a system shutdown type of None and click OK.
You have successfully upgraded your switch.
NN46110-602
Chapter 4
Troubleshooting
This chapter introduces the concepts and practices of advanced network
configuration and troubleshooting for the Nortel VPN Router. Its purpose is
two-fold: to provide configuration details to consult when setting up or modifying
the extranet, and to serve as a resource when diagnosing client and network
problems.
Typically, there are three types of problems to address when managing an
extranet:
• connectivity
• performance
• general
As a network administrator, your primary concern is to maintain connectivity. For
extranet access, this means maintaining the secure connections between your
remote users and the private intranet serviced by the VPN Router. Performance is
another area of concern. Paying attention to performance helps you address issues
before they become problems.
69
Connectivity problems occur when the remote user cannot establish a connection
with areas of their private corporate network. There are several points of failure to
consider when diagnosing connectivity problems. Problems can range from
something as simple as a modem configuration error on the client workstation to a
complex HDLC protocol error on the T1 WAN interface.
Nortel VPN Router Troubleshooting
70 Chapter 4 Troubleshooting
Troubleshooting remote access problems typically starts at the client end when the
remote user cannot establish a connection, loses a connection, or has difficulty
browsing the network or printing. When connectivity problems occur and the
source of the problem is unknown, it is usually best to follow the OSI network
architecture layers. Therefore, start diagnosing the physical environment, the
modem, and the cables before moving up to the network and application layers
(for example, pinging a host and Web browsing).
As with connectivity, there are many places in the extranet network where
network performance is affected. By regularly checking the network statistics,
logs, and health check information, and by informing users of good network
practices, you can often avoid problems and enhance the productivity of the
extranet.
General problems are categorized here as problems other than those related to
connectivity or network performance. For the latest release-specific problems,
check the release notes.
Troubleshooting tools
Client-based tools
NN46110-602
For the VPN Router administrator, a robust troubleshooting toolbox is filled with
both standard and special tools for diagnosing network problems. Standard tools
like Telnet, PING, Trace Route (tracert.exe), sniffers, and analyzers are a basic
necessity. To this collection, some special tools are added to the VPN Router
manager and remote client applications. These special tools include client- and
VPN Router-based tools.
IPsec VPN Client Monitor provides network statistics on device, connection, and
network errors that help monitor traffic flow and assess IPsec connection
performance. Statistic counters are updated once a second. For more information
on the IPsec VPN Client Monitor, see the VPN Client online Help.
Microsoft Point-to-Point Tunneling Protocol (PPTP) Dial-Up Networking
Monitor provides network statistics on device, connection, and network protocols
that help monitor traffic flow and assess PPTP connection performance. For more
information on the PPTP Dial-Up Networking Monitor, see the PPTP help or your
Microsoft PPTP client documentation.
System-based tools
Use the Manager Status > Health Check window to view colored status indicators
that evaluate individual component status, and click associated hyperlinks to go
directly to manager windows for corrective action.
Use the Manager Status > Statistics window to view detailed system and network
statistics.
Use the Manager Status > Security, Config, System, and Event Log window to
view various logs recording system and network events that help you trace
problems and determine their origins.
Other tools
Chapter 4 Troubleshooting 71
Tabl e 2 lists the tools that are helpful for diagnosing connectivity problems from
Windows* 95, Windows 98, and Windows NT* workstations.
Table 2 Troubleshooting tools
Windows 95/Windows 98 Windows NT Use for...
Winipcfg command Ipconfig command Obtaining IP address, DNS,
WINS information
Netstat command Netstats command Viewing statistics from
Microsoft TCP/IP stack
Ping and tracert commands Ping and tracert
commands
Dial-Up Monitor status Dial-Up Monitor status Viewing modem settings,
Nortel VPN Router Troubleshooting
Testing connectivity, name
resolution, route tracing
throughput and errors
72 Chapter 4 Troubleshooting
Solving connectivity problems
This section lists many of the common connectivity problems that occur and their
recommended solutions. Problems, and some typical client user responses that can
help with diagnosis, are categorized as follows:
Modem and dial-up problems
“I cannot browse the Web or check my e-mail over my dial-up connection.”
“I cannot ping my ISP site.”
Extranet connection problems
“I can browse the Web over my dial-up connection, but I cannot log in to my
network over the extranet connection.”
Problems with name resolution using DNS services
“I logged into my corporate network, but I get messages saying the host is
unknown.”
Diagnosing client connectivity problems
NN46110-602
“I can ping the host using its IP address, but not using its host name.”
Network browsing problems
“I cannot browse the corporate network.”
“I cannot print.”
“I cannot access the Internet over my extranet connection.”
A connection can fail at varying points in an extranet. If remote users have a
problem accessing their corporate network and the source of the problem is
unknown, Nortel recommends that they follow these steps to first determine
whether the problem is with their modem, Point-to-Point Protocol (PPP) dial-up,
or with the extranet connection:
Chapter 4 Troubleshooting 73
1 Confirm that the modem is attached and working properly by running a
terminal emulation program at their remote workstation, such as,
Hyperterminal*, and issuing the AT command. If the response is AT O K, the
modem is operating correctly.
2 Verify that there is a PPP dial-up connection over the internet. To do this,
before trying to establish an extranet access or PPTP connection, have them
try Web browsing www.nortel.com or another Web site. If the remote user can
access the Web site, their PPP dial-up connection is working properly. See the
section "Common client connectivity problems" to further troubleshoot the
connection problem. If the remote user still cannot verify that their dial-up
connection is working properly, continue with step 3.
3 Ask the remote user to check that their modem type and settings are
configured properly. To do this, they right-click on the Dial-Up Networking
connection icon (the icon they click to dial their connection) on their desktop
to view its properties. Verify that these settings are correct for their modem
configuration.
4 If the remote user is connected but unable to access any resources or servers,
have them go to the Start menu and check their system's connection
information, select Run, and type
using Windows NT). Ask them to view the statistics for their PPP adapter and
confirm that the entries match those provided by the Internet service provider
(ISP).
winipcfg in the text box (or ipconfig if
5 If the remote user is still unable to view resources or servers over their PPP
dial-up connection, contact their ISP to see if any connection attempts were
logged from the user, and for additional troubleshooting assistance.
Common client connectivity problems
Extranet connection problems
If the client is successfully connecting to their ISP, but is having problems
accessing their intranet over their PPTP or IPsec VPN Client connection, have
them check the following areas to further troubleshoot their connection problem.
The following messages and their associated cause and action statements are
directed to the IPsec VPN Client user at the remote workstation. This information
is also available in the VPN Client online Help.
Nortel VPN Router Troubleshooting
74 Chapter 4 Troubleshooting
Remote host not responding
Cause: This indicates that the VPN Router never responded to the IPsec
connection attempt or that User Datagram Protocol (UDP) port 500 is blocked.
Action: Verify that the VPN Router is accessible by pinging the host name or IP
address that you filled in the destination field. To ping a host called
extranet.corp.com, for example, open an MS-DOS command prompt and type
ping extranet.corp.com. If you receive a reply message, it indicates that the
VPN Router is accessible but is not responding. If you received a message that
says Request Timed Out from the
is inaccessible. You can further diagnose the problem using the MS-DOS Trace
Route command (
The VPN Router allows only a certain number of PING packets from another
Internet host before requiring a tunnel connection to be established.
Maximum number of sessions reached
Cause: This indicates that the maximum number of users for the account you are
using are currently logged in.
ping command, it means that the VPN Router
tracert.exe) on Windows systems.
NN46110-602
Action: If you are the only user with access to your account, it is possible to get
this error if you restarted an IPsec connection immediately after losing the dial-up
connection to your ISP. This is because the VPN Router takes up to one minute to
determine that your connection is dropped and logs you off from your account.
Simply wait a minute and retry your connection.
Login not allowed at this time
Cause: This indicates that your account is limited to specific hours of access and
you are trying to connect outside of the allowed time.
Action: Contact your network administrator if you are unsure of your specific
hours of access.
Authentication failed
Cause: The IPsec user name is incorrect or the password is invalid for the user
name entered.
Chapter 4 Troubleshooting 75
Action: Verify that the user name you entered is correct and retype the password
before trying the connection again.
No proposal chosen
Cause: The VPN Router you are connecting to is not configured to handle the
authentication method configured under the current connection profile.
Action: Verify that you are using the correct IPsec parameters, such as a choice of
ESP-3DES with SHA1. Make sure it matches what the client (for example, an
International client) can do.
Other IPsec errors
Cause: Typically other error messages indicate an error in configuration on the
VPN Router that the network administrator must correct.
Action: Contact your Network Administrator with the specific error message.
Extranet connection lost
If the PPTP or IPsec VPN Client connection was initially established and then
fails, one of two error messages appear: The physical connection has been lost or
The secure extranet connection has been lost.
The physical connection has been lost
Cause: The PPP connection to your ISP was disconnected.
Action: Re-establish the PPP dial-up connection to your ISP before you
re-establish the extranet connection to the remote network.
The secure extranet connection has been lost
Cause: For IPsec only, the VPN Router that you are connected to has either
logged your connection off or is no longer responding.
Nortel VPN Router Troubleshooting
76 Chapter 4 Troubleshooting
Action: Click Connect to re-establish the extranet connection. If this works, the
connection was probably lost due to the Idle Timeout configured on the VPN
Router. If no data is transferred through the extranet connection for a long period
of time, normally 15 minutes or more, the VPN Router automatically disconnects
the connection.
If you were unable to successfully re-establish the extranet connection, the dial-up
connection may be preventing data from traveling between the VPN Client and
the VPN Router. Hang up the dial-up connection and reconnect before you try to
re-establish a connection. If you are still unable to connect to the VPN Router,
open an MS-DOS Command Prompt and try pinging the VPN Router using the
host name or address that you specified in the Destination field. If you receive a
Destination Unreachable error message, there is a routing problem at the ISP. If
you receive a Request Timed Out error message, the VPN Router is probably not
available, and you can contact your network administrator.
Auto disconnect closes the dial-up connection during data
transfer activity
Cause: In Windows 95 only, The Microsoft Auto Disconnect feature does not
recognize data activity unless it passes through Internet Explorer. Microsoft has
documented this as a known problem in Windows 95.
Problems with name resolution using DNS services
NN46110-602
Action: At the remote workstation, disable Auto Disconnect if you are not using
Internet Explorer to access data on the remote network. To do this, open the
Control Panel and choose the Internet icon. Select the Connection property sheet
and deselect Disconnect if idle for.
DNS misconfiguration is usually the problem if a client can ping a host using an
IP address but not with its host name, or receives messages that the host name
cannot be resolved, .
Cause: You cannot configure a DNS server for PPTP or IPsec connections on the
VPN Router.
Chapter 4 Troubleshooting 77
Action: Validate that the VPN Client is configured with a DNS entry. For
Windows NT 4.0, open a command prompt and enter
ipconfig/all. Verify that
a DNS server entry is listed. For Windows 95, from the Start menu on the task bar,
select Run and enter
winipcfg. Select Nortel VPN Router Extranet Access
Adapter from the list of adapters and click More Info. Record the information
displayed under the DNS Server entry and verify it with the network
administrator.
Cause: The hostname being resolved has both a public and a private IP address,
commonly referred to as a split-horizon DNS.
Action: Open a command prompt and ping the host you are trying to reach with a
fully qualified host name (for example, www.nortel.com). If you receive a
response, verify that the IP address returned on the first line (for example,
www.nortel.com [207.87.31.127]) is an IP address from the remote corporate
network. If it is not, notify your network administrator that you need to modify the
internal hostname so that it is not the same as the external hostname.
Cause: The retail release of Windows 95 contained a bug that prevented use of
more than one DNS server. This problem was fixed in OS Release 2.
Action: If you are using a release earlier than OS Release 2 of Windows 95, a
patch is available from Microsoft to upgrade the winsock.dll. This patch is
downloadable from www.microsoft.com.
Network browsing problems
Cannot browse the network (with NetBEUI)
Cause: For both PPTP and IPsec, the VPN Router does not currently support the
NetBEUI protocol.
Action: To browse resources on a remote domain through a connection to a VPN
Router, it is necessary to remove the NetBEUI protocol and to have a WINS
server configured. By removing NetBEUI, the Microsoft Client uses NetBIOS
over TCP/IP to browse network resources. This applies to both the PPTP dial-up
client provided by Microsoft and the VPN Client provided by Nortel.
Nortel VPN Router Troubleshooting
78 Chapter 4 Troubleshooting
Cannot access Web servers on the Internet after establishing a
VPN Client connection
Cause: For both PPTP and IPsec, this condition occurs as a result of all network
traffic passing through the corporate network. Typically, firewalls and other
security measures on the corporate network limit access to the Internet.
Action: The administrator can set up a default route on the VPN Router to
forward traffic to the Internet. If this default route is not configured, you must
disconnect the extranet connection to Web browse the Internet through your ISP
connection.
Alternatively, if you are using a proxy-based firewall, you must set the Web
browser to use the firewall to proxy for HTTP traffic when the tunnel connection
is in use.
Cannot access network shares after establishing an extranet
access connection
Cause: A Windows Internet Name Service (WINS) server is not configured for
PPTP or IPsec connections on the VPN Router.
NN46110-602
Action: Validate that the VPN Client is configured with a WINS server. Follow
the steps outlined above under "Problems with name resolution using DNS
services" to run
winipcfg on Windows 95. Verify that a primary WINS server is listed under the
ipconfig at a command prompt on Windows NT 4.0 or to run
section for the adapter named IPsecShm on Windows NT 4.0, and on Windows 95
verify that a primary WINS server is listed in
winipcfg for the VPN Client
adapter. If there is no primary WINS server listed, notify the network
administrator that the VPN Router may not be properly configured.
Cause: Your system is set up for a different domain other than the one on the
remote network.
Action: Skip the initial domain login when Windows 95 starts and choose Log on
to the Remote Domain under the Options menu of the VPN Client dialog box.
You are then prompted to log in to the domain of the remote network after the
extranet connection is made. This is the recommended method for users with
docking station configurations.
Chapter 4 Troubleshooting 79
Alternatively, on NT 4.0, Windows 98, and Windows 95, complete the following
steps to change your workstation to be a member of a workgroup instead of a
domain:
1 From the Start menu, select Settings > Control Panel. In the Control Panel,
double-click Network.
The Network Control Panel applet appears.
2 Select the Identification tab. In Windows 95, you can modify the entries on
the Identification tab; on NT 4.0, you must click Change to change the
entries.
3 Change to use a Wo rkgroup and verify that the computer name does not
match the entry on the remote network. The name for the workgroup is not
important; you can enter anything.
4 Click OK to save the changes and reboot the machine.
5 When accessing a resource on the remote domain, if you are prompted for a
user name and password, the domain name must precede the user ID. For
example, if the user ID is JSmith and you are accessing a machine on the
remote domain named CORP, enter your user name as CORP\JSmith.
Diagnosing WAN link problems
WAN link problems can occur between the VPN Router and the public data
network (PDN) at three levels:
1 T1/V.35 interface
2 HDLC framing
3 PPP layer
If a connectivity problem occurs with the WAN link, there are two approaches to
diagnosing and correcting the problem.
• Start from the bottom to verify that physical connectivity exists, then make
sure that the HDLC link is up, and finally examine the PPP status to see if it is
passing IP packets back and forth.
Nortel VPN Router Troubleshooting
80 Chapter 4 Troubleshooting
• Start from the top down to go in the opposite direction, looking at PPP first
and working down to the physical connection. An important point to
remember when taking this approach is that at the higher protocol layers,
there are more options to misconfigure, but changing them is easier and
generally involves less effort.
A key point to remember when diagnosing WAN link problems is to involve the
T1 service provider in the troubleshooting effort. This is not only because they can
help diagnose the problem, but also because an ISP can bring down a link if it
detects errors on the line. Notify the ISP administrator if you are planning to work
on the link.
Check the T1/V.35 interface
To diagnose a problem at the WAN physical layer, use the following steps to
verify that the T1/V.35 interface to the public data network (PDN) is operating
correctly, and that the T1 line is properly connected:
1 Have your ISP run a loopback test from their end to the CSU/DSU to verify
that the external line is working correctly.
NN46110-602
2 Check the connections between the VPN Router and the CSU/DSU. Make
sure that the V.35 cable is a straight-through cable and firmly seated, that the
CSU/DSU is configured to use internal clocking, and that NRZ is encoded
with CCITT CRC for the checksum.
3 Make sure that all the control signals are asserted (CTS, DCD, DSR, RTS,
and DTR). You can check these signals on the VPN Router from the Manager
WAN Statistics window. If any of these signals are incorrect, you can try
disabling or enabling the link from the Manager WAN Interfaces window, or
unplugging and plugging in the link. If these steps do not resolve the problem,
try switching ports on the same card, switching cables, or switching to a new
card, if available.
4 If the previous steps fail to resolve the problem, and you still suspect a
problem with the physical connection, try rebooting the VPN Router to
reinitialize the WAN interface.
Chapter 4 Troubleshooting 81
Check the HDLC framing
Assuming that the T1/V.35 interface is operating correctly, use the following steps
to determine whether the HDLC layer is up and running properly, and to provide
information for Nortel Customer Support for further diagnosis:
1 Check that there are no input or output errors reported on the Manager WAN
statistics window. Also look to see if the input and output counters are
incrementing at all. If the input/output counters are not incrementing, or are
incrementing by huge amounts, then there are probably framing or timing
errors on the link. Also, a large percentage of input errors can indicate a
problem with the FCS (Frame Check Sequence) calculation.
2 Examine the Manager Statistics event log with debugging enabled. Any
WAN-related log messages probably indicate some sort of error.
3 Report any of the preceding errors and messages to Nortel Customer Support
for assistance in diagnosing the HDLC framing problem.
Check the PPP layer
If the WAN link is passing frames back and forth, but IP packets are not flowing,
then the problem can be how PPP is configured.
To examine the state of the PPP connection, and to provide information for Nortel
Customer Support for further diagnosis:
1 Check whether the state of the PPP connection is changing at all by
periodically clicking Refresh while viewing the WAN statistics window. If
the state is always Down, PPP may not know that the link is up. If the state
toggles between Dead and LCP Negotiating, PPP is trying to come up but
cannot. This is probably due to a problem with the underlying layers, although
it can also be a bad configuration of the LCP options.
2 If the connection fails during authentication, then try disabling the PPP
Authentication settings. A problem during Network Negotiating is usually
due to misconfigured IPCP options.
3 Verify that all the authentication settings match the ISP-recommended router
configuration.
Nortel VPN Router Troubleshooting
82 Chapter 4 Troubleshooting
4 If the PPP layer still does not come up, enable the interface debugger to
generate large amounts of packet traces in the event log. Report this
information to Nortel Customer Support for further diagnosis.
Hardware encryption accelerator connectivity
If the hardware encryption accelerator fails, all sessions are automatically moved
over so that the software can handle them.
Solving performance problems
This section describes ways to improve the performance of the remote workstation
connection to the corporate network through a VPN Router. It also includes
Microsoft networking and client setup and operation tips.
Eliminating modem errors
Modem hardware errors can impact performance when connecting to your
corporate network over a dial-up connection. If modem hardware errors are
occurring, try the following techniques to correct these errors and improve
performance:
• Adjust the modem speed—If the speed of the modem is set too high, it can
cause hardware overruns. Reset the modem speed to match the real speed of
the modem.
• Disable hardware compression—The data passed through the extranet
connection is encrypted, and encrypted data is typically not compressible.
Depending on the algorithm the modem uses to compress the encrypted
(non-compressible) data, the data can expand in size and overrun the modem's
buffers.
Performance tips for configuring Microsoft networking
For Microsoft networking to work as designed over the extranet, each of the
following components, if configured, must work together:
NN46110-602
Chapter 4 Troubleshooting 83
• DHCP Server assigns IP addresses to clients
• WINS Server provides a translation of the NetBIOS domain name to the IP
address
• DNS Server provides a translation of the IP Host name to the IP address
• Master Browser is an elected host that maintains lists of all NetBIOS
resources
• Domain Controller maintains a list of all clients in the NetBIOS domain and
manages administrative requests such as logins
• VPN Router terminates tunnels and routes Microsoft networking requests
The following questions and answers are particularly directed toward the WINS
server and browsing issues. These questions and answers can help verify whether
you correctly set up these components.
What needs to be configured on the VPN Router for network
browsing?
In the group profiles, set the values of the DNS server and the WINS server.
Remember that these are inherited values, so that if all subgroups of a given group
use the same servers, it is sufficient to configure them in the parent group.
If these servers are not on a directly reachable subnet from the VPN Router, or
accessible through a default VPN Router, you must configure a static route on the
VPN Router to reach them.
What should be configured on the PPTP or IPsec client?
The client needs the protocols for NetBIOS and TCP/IP configured. NetBEUI is
not normally configured.
Configure a Windows 95 or Windows 98 client so that it is in the correct
workgroup for the NT domains it is trying to reach. For example, if there are
domains named Engineering and Admin, and the client is to use the Engineering
domain, then you must configure it that way.
For PPTP only, you must also select Log onto Network under My Computer >
Dial Up Networking > Connection_Name.
Nortel VPN Router Troubleshooting
84 Chapter 4 Troubleshooting
The client system’s NetBIOS name must be unique in the private network to
which the client is connecting. Do not use the same name as your office desktop
machine or something like my computer. Uniqueness is required.
What is the preferred way to access neighbors on the network?
Microsoft recommends against browsing the Network Neighborhood when
tunneling. Another way to access a network resource is through the
command. For example, to access shared folders on the machine HotDog, choose
Start > Run and type in \\HotDog. If you experience delays using Network
Neighborhood, try this method instead.
Why should WINS settings be different for extranet access?
WINS servers cache a correspondence between IP addresses and NetBIOS names.
These cached values are only invalidated by a timer, not by network activity.
Therefore, if a WINS server is used heavily by clients, set its expiration timeouts
low.
In a static environment, where names and addresses correspond forever, this is not
an issue. But in the extranet environment, clients are assigned new IP addresses
whenever they form a tunnel. Therefore, the correspondence is transitory.
run
NN46110-602
Microsoft default values for the timeouts are enormous (for example, 3 weeks).
These must be reduced for an extranet environment.
What WINS settings are recommended?
The WINS settings are available on the WINS server through the Start menu >
Programs > Administrator Tools. The following values for a WINS server are:
•Server Configuration
• Renewal Interval: 41 minutes
• Extinction Interval: 41 minutes
• Extinction Timeout: 24 hours
• Verify Interval: 576 hours
Chapter 4 Troubleshooting 85
The renewal interval governs how often a client must reregister its name with the
WINS server. It begins trying at one-half of the renewal interval. The extinction
interval governs the length of time between when a client name is released and
when it becomes extinct. These intervals are the most important to control when
using dynamic addresses.
There is a trade-off in setting these intervals. If they are set too small, there is too
much additional client registration network activity. If they are set too large,
transient client entries do not time out soon enough. If you also have secondary
WINS servers, make the renewal interval the same on the secondary servers as on
the primary server.
For additional information on setting interval values for a WINS configuration,
see the Microsoft Knowledge Base article Min. and Max. Interval Values for
WINS Configuration available at www://support.microsoft.com/support. A WINS
server that has a heavy CPU load or network load does not perform well. To help
performance:
• Do not run other intensive tasks on the WINS server.
• In the WINS configuration, disable detailed logging.
• If you have primary and secondary WINS servers, assign them a balanced
load.
For hosts that never change IP addresses, you can give static entries in the WINS
database. For example, you can configure the address of the Primary Domain
Controller as static. To do this, you also need a statically reserved DHCP address
for the primary domain controller.
What can you try on the WINS server when it is not working?
You can request that the WINS server clean up its database by going into the
Mappings menu and selecting Initiate Scavenging.
If the database becomes very large, you can compact it by using the jetpack.exe
program in \winnt\system32. Consult the WINS Help before doing this because
the server must be shut down.
Nortel VPN Router Troubleshooting
86 Chapter 4 Troubleshooting
In the WINS mappings entry, enter a show database command. Note the entry
for -__MSBROWSE__. This is the machine that is actually the elected master
browser, and it changes frequently. If this entry is pointing to an invalid machine,
it can cause problems.
Can I control which machine is the master browser?
When you start a computer running Windows NT Workstation or Windows NT
Server, the browser service looks in the registry for the configuration parameter
MaintainServerList to determine whether a computer becomes a browser. This
parameter is under:
\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browser\
Parameters
For Windows 95, this parameter is under:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VNETSUP\
MaintainServerList
MaintainServerList parameter values are:
NN46110-602
• No—this computer can never participate as a browser.
• Yes—this computer can become a browser.
• Auto—this computer, referred to as a potential browser, can or cannot become
a browser, depending on the number of currently active browsers.
The registry parameter IsDomainMasterBrowser impacts which servers become
master browsers and backup browsers. The registry path for this parameter is:
\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browser\
Parameters.
Setting the IsDomainMasterBrowser parameter entry to True or Yes makes the
computer a preferred master browser.
When the browser service is started on the preferred master browser computer, the
browser service forces an election. Preferred master browsers are given priority in
elections, which means that if no other condition prevents it, the preferred master
browser always wins the election. This gives an administrator the ability to
configure a specific computer as the master browser.
Chapter 4 Troubleshooting 87
To specify a computer as the preferred master browser, set the parameter for
IsDomainMasterBrowser to True or Yes in the following registry path:
\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browser\
Parameters
Unless the computer is configured as the preferred master browser, the parameter
entry is always False or No. There is no user interface for making these changes;
you must modify the registry.
Why are subnet masks important?
If a client does not have a WINS server or is unable to contact it, it must broadcast
a query to try to locate a host. Unfortunately, Windows 95, Windows 98, and
Windows NT clients do not always use the correct broadcast address when
tunneling.
The following example helps explain this problem. Suppose that you are using a
private net 10 address space. Assume further that you have a client with IP address
10.1.2.3 and subnet mask 255.255.0.0. This means that the net 10 space is used
like a class B address space, which is perfectly legal. The correct broadcast for
this client is 10.1.255.255. However, Microsoft clients can broadcast to
10.255.255.255, using the natural class A for net 10, in spite of their
configuration.
If all hosts that the client is trying to reach lie on the same physical segment, this
probably will work. This is because every host on the physical network receives
the all subnets broadcast and probably responds, if appropriate.
All hosts on the segment receive the broadcast to 10.255.255.255, even if they are
on different subnets (10.1.x.x. and 10.2.x.x). However, in a routed environment
the situation changes. In this case, a broadcast from 10.1.2.3 to 10.255.255.255 is
not forwarded to the other 10.2 subnet.
In the extranet environment, make the remote client appear as much as possible to
be on the local LAN. If the extranet host is assigned address 10.1.2.3, it should
behave as if it is on the 10.1 LAN.
Nortel VPN Router Troubleshooting
88 Chapter 4 Troubleshooting
When 10.1.2.3 broadcasts to find a network neighbor, it (incorrectly) sends to
10.255.255.255. Normal routing functionality does not forward such a packet. The
VPN Router finds the best match among its physical interfaces (10.1 in this case)
and modifies the broadcast to be correct for that interface (10.1.255.255 here).
In this example, if the VPN Router’s 10.1 interface was configured with any
subnet mask other than 255.255.0.0, the broadcast would not have been converted
as desired.
What should I do about subnets?
Configure every private interface on the VPN Router to have the same subnet
mask as all of the clients residing on that subnet.
Why is there a delay in discovering the Network Neighborhood
(with tunnels)?
NetBIOS treats the modem interface as if it is two different interfaces: the original
modem and the tunnel. It designates the original modem as the primary interface.
(You can observe this by typing
tunnel over a LAN instead of a modem, the LAN adapter is designated as the
primary interface.
route print in a DOS command shell.) If you
NN46110-602
When first instructed to seek the Network Neighborhood, NetBIOS always tries
the primary interface first. This is always the wrong choice because NetBIOS tries
to send using the IP address assigned by the ISP (or possibly the address of
another adapter) instead of the address assigned to the tunnel by the VPN Router.
The outcome is somewhat different for IPsec and PPTP. For IPsec, the client
recognizes this incorrect behavior and refuses to even send the packets. You can
see a counter of the number of invalid packets of this type on the client under the
status Invalid IP address.
With PPTP, the client does send the packets, but they are rejected at the VPN
Router as invalid tunneled packets because the source address does not match the
VPN Router-assigned address. If you inspect the event log, there are messages of
the form Bad source address in tunnel and the session/details counter for source
address drops increases.
Chapter 4 Troubleshooting 89
After about 10 to 15 seconds, NetBIOS gives up on the primary interface, moves
to the correct tunnel interface, and starts to browse the Network Neighborhood.
Why can't I browse another client in a different tunnel?
Cause: If you are not using a WINS server, this is not possible because network
browsing requires broadcasts from one tunnel to another.
Action: Use a WINS server to browse another client in a different tunnel. When
the clients tunnel in, they should register with the WINS server. Be sure that the
client you want to browse has Log onto Network enabled under My Computer >
Dial Up Networking > Connection_Name.
Where can I get more information on troubleshooting dial-up
connections?
The Microsoft Knowledge Base article Dial-Up Networking 1.2 Dun12.doc file,
available from www.support.microsoft.com/support, contains help for resolving
common dial-up problems.
Depending on the service provider, a point of presence (POP) may not support
LCP options. If your connection constantly gets declined after the modems
synchronize, and you know your password is correct, try disabling this option.
The Microsoft Knowledge Base article Service Pack 2 May Cause Loss of
Connectivity in Remote Access contains more details.
Where can I get more information on configuring PPTP on my
client?
There are many articles in the Microsoft Knowledge Base on configuring PPTP
for Windows NT, Windows 98, and Windows 95. See the section "Additional
information"” for a partial list. In addition, Microsoft has the following white
papers available at www.support.microsoft.com/support that contain helpful
information:
• Microsoft Windows 95/Windows NT White Paper, Installing, Configuring,
and Using PPTP with Microsoft Clients and Servers
• Microsoft Windows NT Server White Paper, Understanding PPTP
Nortel VPN Router Troubleshooting
90 Chapter 4 Troubleshooting
You must create a connection definition for your initial Internet link through your
service provider. A separate connection definition is needed for creating the PPTP
tunnel. A common configuration problem experienced during initial PPTP setup is
the failure to select the PPTP VPN adapter (instead of the modem) on the PPTP
connection definition in Dialup Networking.
What DNS and WINS servers do I set for the dial-up
connection?
There is no need to set these servers statically on your dial-up client because
information is dynamically downloaded from the VPN Router for PPTP, IPsec,
and Layer 2 Forwarding (L2F) tunnels at connect time.
Why does DNS resolve hosts to different addresses when a
tunnel connection is active?
Cause: When a tunnel connection is activated, additional DNS servers are
downloaded from the extranet device to your client. In the case of Microsoft
Windows 95, Windows 98, and Windows NT operating systems, the new DNS
servers are added to the list of DNS servers that were assigned by your ISP. This
applies to PPTP as well as IPsec tunnels. In general, the DNS servers downloaded
by the extranet device provide host-name-to-address translation for hosts within a
private network while the ISP-based DNS servers translate public host names.
NN46110-602
For Windows 95/98 and Windows NT, when a host name must be translated to an
IP address (for example to browse the Web or get e-mail), all DNS servers are
queried in a shotgun style. The first server to respond with an IP address wins.
This can produce some interesting behavior if a host name resolves to one address
on the private network and another on the public Internet. For example, host
mail.mycompany.com could internally resolve to 10.0.0.282 and externally to
146.113.64.231.
Action: To avoid problems when using a mixture of internal and external DNS
services, it is essential to avoid using names that resolve to different addresses. In
the preceding example, rename the host 10.0.0.282 to pop.mycompany.com. Then
users are informed to use the hostname pop.mycompany.com to retrieve electronic
mail, whether in the office or connected through a tunnel link.The original retail
release of Windows 95 requires the Winsock DNS Update (wsockupd) to properly
function with multiple DNS servers.
Chapter 4 Troubleshooting 91
My downloaded DNS servers for my tunnel connection do not
work
Cause: The Microsoft Windows 95/98 and Windows NT operating systems
attempt to ping new DNS servers before adding them to the current list of servers.
Action: As a quick test, try to ping (with the tunnel connection active) the DNS
servers that the extranet device is downloading at tunnel startup. If you cannot
ping the servers, a basic connectivity problem using the tunnel connection exists.
To view the current list of DNS servers at any time use the MS-DOS command
ipconfig/all on Windows NT or winipcfg on Windows 95 or Windows
98.
Why, after disconnecting a PPTP tunnel, do I get an immediate
error reconnecting?
Cause: After you disconnect a PPTP tunnel, then immediately try to reconnect,
the PPTP client indicates that the connection is busy or otherwise unavailable. On
Windows 95 this is caused by the PPTP control channel socket being improperly
shut down by the client.
Action: You can wait for the socket to time out, but it is often more expedient to
reboot. On Windows NT a similar problem is encountered, but caused by a TCP
checksum error generated by the Microsoft IP stack. The only current resolution
for the Windows NT error condition is to reboot.
Additional information
Below is a list of some of the Microsoft Knowledge Base topics you can browse
for information related to dial-up and tunnel configuration. To view these topics,
go to www.support.microsoft.com/support. Use the Search Support Online feature
to search on the title you want:
• Troubleshooting Internet Service Provider Login Problems
• Service Pack 2 May Cause Loss of Connectivity in Remote Access
• Troubleshooting Modem Problems Under Windows NT 4.0
• Dial-Up Networking 1.2 Dun12.doc File (Windows 95 PPTP
Troubleshooting)
Nortel VPN Router Troubleshooting
92 Chapter 4 Troubleshooting
• How to Troubleshoot TCP/IP Connectivity with Windows NT
• Remote Access Service (RAS) Error Code List for Windows NT 4.0
• RAS Error 720 When Dialing Out
• Troubleshooting PPTP Connectivity Issues in Windows NT 4.0
• PPTP Registry Entries
• Connecting to Network Resources from Multihomed Computer
• How to Force 128-bit Data Encryption for RAS
• Login Validation Fails Using Domain Name Server
Solving general problems
This section contains general recommendations and explains some common
problems that can occur with common Web browsers, the Nortel VPN Router Web
Manager, and the VPN Router.
Web browser problems and the VPN Client Manager
NN46110-602
If you have a problem browsing the Nortel VPN Client Manager, start by checking
the following recommendations to ensure that you are using the correct Web
browser version and settings. For additional troubleshooting, check the described
Web browser problems and solutions, error messages, and tips described later in
this section.
Nortel VPN Client Manager uses Java* and HTML features. For the management
interface to function properly, verify that your Web browser meets the following
minimum requirements:
• Platforms supported include Windows 95, Windows 98, Windows NT, or
Macintosh*.
• Display setting of 256 colors or greater.
• Browser versions supported include Microsoft Internet Explorer, Version 4.0
or later and Netscape Communicator*,Version 4.0 or later. Not using a recent
version of Internet Explorer causes the upper-left corners of the management
windows to remain gray rather than displaying the navigational menu and the
current menu selection, respectively.
• For ActiveX Scripts, Java, and JavaScript*, you must enable both ActiveX
and Java programs in Internet Explorer, and enable both Java and JavaScript
in Netscape Communicator for proper VPN Router Web management
windows. These options are enabled by default on both Web browsers.
Enabling Web browser options
To make sure these options are enabled in Internet Explorer, from the Internet
Explorer menu bar, select View > Options > Security, and select:
• Run ActiveX scripts—If this option is disabled, navigational titles are not
updated, and the Logoff and Help buttons do not work.
• Enable Java programs—If this option is disabled, navigational menus do not
appear.
To make sure these options are enabled in Netscape*, from the Netscape menu,
select Edit > Preferences > Advanced, and select:
• Enable Java – If this option is disabled, navigational menus do not appear.
• Enable JavaScript – If this option is disabled, navigational titles are not
updated, and the Logoff and Help buttons do not work.
Chapter 4 Troubleshooting 93
Long delays when Web browsing
Cause: HTTP—Sometimes when you HTTP the Web interface, you can
experience long delays (greater than five minutes).
Action: Wait until the requested window is fully delivered before clicking on a
new window request.
Improving performance with Internet Explorer 4.0
Nortel recommends that you create a DNS server entry for your management IP
address. This alleviates a noticeable delay in loading the initial Main menu and
navigational windows.
Nortel VPN Router Troubleshooting
94 Chapter 4 Troubleshooting
Clearing your Web browser cache when upgrading
To avoid problems when upgrading software revision levels, Nortel recommends
that you clear your browser cache and exit the browser and all associated windows
(such as mail and news readers). See the following section for browser cache
clearing instructions.
Clearing cache
A browser caches windows to improve performance when the same window is
requested again. The VPN Router’s HTTP server allows browsers to cache Java
class files and all image files, but does not allow browsers to cache body windows
that contain the dynamically generated information. Both Internet Explorer and
Netscape allow you to clear the browser cache which causes all windows to be
rerequested the next time they are required. To manually clear the browser cache
in Internet Explorer V4.x, select View > Internet Options, and click Delete Files.
To manually clear the browser cache in Netscape V4.x, select Edit > Preferences
> Advanced > Cache and click Clear disk and memory cache.
Web browser error messages
NN46110-602
No data in post message
Cause: This message often appears on the main body window if you use the
browser’s back arrow to revisit a previously displayed window. The browser
displays this message when it knows you are revisiting a dynamically generated
window.
Action: To see the window, use the left navigational area to select it.
Internal error message
Cause: The HTTP server was unable to allocate memory. This indicates that the
VPN Router is very low on memory.
Action: Terminate any unnecessary tasks to free up memory. It may be necessary
to reboot the VPN Router. If this condition recurs, there can be a serious problem.
Contact Nortel Customer Support.
Chapter 4 Troubleshooting 95
Document not found message
Cause: This message is returned when the HTTP server cannot find the requested
window. This can happen because the Java navigation index file is out of synch
with the rest of the system. A corrupted or incorrectly cached index file can also
cause this problem.
Action: Clear your browser cache or restart your browser to correct this problem.
New administrator login ignored
Cause: Internet Explorer saves your user ID and password in its cache and
automatically resends those values on subsequent login attempts. Therefore, when
prompted after an idle timeout, the user ID and password value you enter are
ignored, and Internet Explorer sends the original user ID and password. For
example, if you log in as administrator with password abc123De, log out, and then
log in again, this time as DottieDoe with password FGh45678, Internet Explorer
sends Administrator with passwordabc123De.
Action: When you log off the VPN Router, close out of the Web browser
completely (shut down the browser). This clears the cache and the next time that
you log in you are starting fresh.
Excess resource consumption using Internet Explorer
Cause: Internet Explorer has a known problem with excessive memory
consumption using Java applets. Over time, this problem can cause serious overall
system performance degradation.
Action: If you notice that your system's performance seems to slow down for no
reason, close and restart Internet Explorer. This releases unused memory and
improves system performance. Go to www.premium.microsoft.com/support/kb/
articles/q173/1/45.asp for details.
Internet Explorer 4.0 multiple help windows
Cause: In Internet Explorer 4.0, if you select context-sensitive help and do not
close the help window after viewing, you can end up with multiple help windows
open.
Nortel VPN Router Troubleshooting
96 Chapter 4 Troubleshooting
Action: Close help windows after viewing them.
Distorted background images
Cause: In Netscape versions prior to 4.0, where you configured your Windows
95, Windows 98, or Windows NT system for 8-bit color (256 colors or less),
images can appear distorted in the navigational area.
Action: To avoid this situation, increase the color display setting to 256 or greater.
Check with your video card manufacturer's documentation to confirm that your
video card supports 256 colors or greater.
Reporting a problem with a Web browser
When reporting a problem with a browser to Nortel, include the following
information:
• workstation operating system and version
• browser vendor and version (major and minor version)
• cache setting (size in Netscape, percent of drive for Internet Explorer)
• Vvrify document setting (every time or once per session)
System problems
NN46110-602
Excessive active sessions logged
Cause: The number of active sessions can reach more than 4 billion. This is an
erroneous number that results from a negative number of sessions.
Action: Restart the system.
Power failure
Cause: The power supplies can become unseated during shipping. When this
problem occurs, the VPN Router may not start, or a warning can be posted to the
Status > Health Check window indicating a potential problem.
Chapter 4 Troubleshooting 97
Action: If necessary, remove the front bezel as described in the installation guide,
then push the bottom of the power supply in to reseat it.
Cannot convert from an internal address pool to an external
DHCP server
Cause: You cannot convert IP address distribution from an internal address pool
to an external DHCP server while sessions are active.
Action: Select Admin > Shutdown, and select Disable Logins after Restart.
After everyone has logged off, you can convert from an internal address pool to an
external DHCP server.
Group and user profile settings not saved
Cause: When you use the Save Current Configurations option on the Admin >
Configs window, it saves only the operational parameters in the configuration file,
such as interface IP addresses and subnet masks, backup host IP addresses, DNS
names.
Action: To completely back up the VPN Router configuration, you must also back
up the LDAP database, which contains the group and user profiles, filters, and
backup file names. To do this:
1 Select Servers > LDAP
2 Click Stop Server.
3 Enter a file name in Backup/Restore LDAP Database. Make sure this name
conforms to the MS-DOS naming conventions and append the filename with
LDF (for example, ldapone.ldf). The restore process can take anywhere from
five minutes for a very small LDAP database to several hours for a very large
database.
4 You can view the progress of the restoration from the Admin > Health Check
window.
Restart fails after using recovery and reformatting the hard disk
Cause: When you are using the recovery disk and reformatting the hard disk,
sometimes the system does not restart.
Nortel VPN Router Troubleshooting
98 Chapter 4 Troubleshooting
Action: Power-cycle the system using the green power button on the back of the
VPN Router.
Solving routing problems
The following sections describe routing problems.
Client address redistribution problems
The number of current Utunnel host users can display more
than the configured maximum.
Cause: This is not an error and is the running state of the system. For example, if
you configured a maximum of 200 and have 150 logins, the window displays the
maximum as 200 and the current as 150. If you then modify the maximum to 100,
the window displays the maximum as 100 and the current as 150. As users log out,
the current number is eventually no greater than the maximum.
NN46110-602
Action: No action.
Client address redistribution is enabled and the client is logged
in, but the client is not communicating with the private network.
Cause: Client address redistribution is not enabled.
Action: Have the client log in again. Client address redistribution only takes effect
if the client logs in when it is enabled.
1 Check the Routing > Policy window and make sure Utunnel routes is
enabled.
2 Check that OSPF and Routing Information Protocol (RIP) are properly set
up.
3 Check that you have the correct address ranges if you configured
summarization.
4 Check that you have an Advanced Routing license if you are using OSPF for
client address redistribution.
Solving firewall problems
An error occurred while parsing the policy
Description: The policy that you are attempting to view or edit cannot be opened
because it does not conform to the required format. This is caused by an error in
the LDAP database or a problem with the connection to the VPN Router.
Action:
1 Close the Stateful Firewall Manager.
2 Close all instances of the browser used to load the Stateful Firewall Manager.
3 Check that the connection to the VPN Router is established.
4 Check that the LDAP server containing the policy is properly configured and
is active.
5 Restart the browser and navigate to the System > Firewall window.
6 Reload the Stateful Firewall Manager.
Chapter 4 Troubleshooting 99
An error occurred while communicating with the VPN Router
Description: The Stateful Firewall Manager encountered an error while retrieving
the data from the VPN Router. This can be caused by a network error or the VPN
Router has stopped responding.
Action:
1 Close the Stateful Firewall Manager.
2 Close all instances of the browser used to load the Stateful Firewall Manager.
3 Check that the connection to the VPN Router is established.
4 Restart the browser and navigate to the System > Firewall window.
5 Reload the Stateful Firewall Manager.
Nortel VPN Router Troubleshooting
100 Chapter 4 Troubleshooting
Authorization failed. Please try again.
Description: This error occurs when the wrong authentication credentials are
entered. The user is re-prompted for credentials until they are either correct or the
user clicks Cancel.
Action: No action required.
Unable to communicate with the VPN Router
Description: The Stateful Firewall Manager cannot establish a connection to the
VPN Router. This is caused by a network error, or the VPN Router is not
responding to requests.
Action:
1 Close the Stateful Firewall Manager.
2 Close all instances of the browser used to load the Stateful Firewall Manager.
3 Check that the connection to the VPN Router is established.
NN46110-602
4 Restart the browser and navigate to the System > Firewall window.
5 Reload the Stateful Firewall Manager.
The contents of the database may have changed
Description: This error occurred because the LDAP database has changed in such
a way that the current data in the Stateful Firewall Manager may not be valid. This
error is encountered when the following events occur:
• Internal LDAP server was shut down and restarted.
• External LDAP server in use is switched to the internal LDAP server.
• Internal LDAP server in use is switched to an external LDAP server.
• External LDAP server’s port or IP address changes.
Loading...