beautypg.com

Troubleshooting certificates, Ipsec troubleshooting commands, Warning: be careful using the -num=all option – Amer Networks E5Web GUI User Manual

Page 650

background image

9.8.2. Troubleshooting Certificates

If certificates have been used in a VPN solution then the following should be looked at as a
source of potential problems:

Check that the correct certificates have been used for the right purposes.

Check that the certificate .cer and .key files have the same filename. For example, my_cert.key
and my_cert.cer.

Check that the certificates have not expired. Certificates have a specific lifetime and when
this expires they cannot be used and new certificates must be issued.

Check that the cOS Core date and time is set correctly. If the system time and date is wrong
then certificates can appear as being expired when, in fact, they are not.

Consider time-zone issues with newly generated certificates. The Clavister Security Gateway's
time zone may not be the same as the CA server's time zone and the certificate may not yet
be valid in the local zone.

Disable CRL (revocation list) checking to see if CA server access could be the problem. CA
Server issues are discussed further in Section 9.7, “CA Server Access”.

9.8.3. IPsec Troubleshooting Commands

A number of commands can be used to diagnose IPsec tunnels:

The ipsecstat console command

ipsecstat can be used to show that IPsec tunnels have correctly established. A representative
example of output is:

Device:/> ipsecstat

--- IPsec SAs:

Displaying one line per SA-bundle

IPsec Tunnel

Local Net

Remote Net

Remote GW

------------

--------------

------------

-------------

L2TP_IPSec

214.237.225.43

84.13.193.179

84.13.193.179

IPsec_Tun1

192.168.0.0/24

172.16.1.0/24

82.242.91.203

To examine the first IKE negotiation phase of tunnel setup use:

Device:/> ipsecstat -ike

To get complete details of tunnel setup use:

Device:/> ipsecstat -u -v

Warning: Be careful using the -num=all option

When using any IPsec related commands, if there are large numbers of tunnels then
avoid using the -num=all option since this will generate correspondingly large amounts
of output.

Chapter 9: VPN

650

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: