beautypg.com

Specific symptoms – Amer Networks E5Web GUI User Manual

Page 654

background image

The Clavister Security Gateway is unable to reach the Certificate Revocation List (CRL) on the
CA server in order to verify if the certificate is valid or not. Double-check that the CRL path is
valid in the certificate's properties. (Note that usage of the CRL feature can be turned off.)

Also make sure that there is a DNS client configured for cOS Core in order to be able to
correctly resolve the path to the CRL on the CA server.

Note: L2TP with Microsoft Vista

With L2TP, Microsoft Vista tries by default to contact and download the CRL list,
while Microsoft XP does not. This can be turned off in Vista.

If multiple similar or roaming tunnels exist and there is a need to separate them using ID lists,
a possible cause can be that none of the ID lists match the certificate properties of the
connecting user. Either the user is not authorized or the certificate properties are wrong on
the client or the ID list needs to be updated with this user/information.

With L2TP, the client certificate is imported into the wrong certificate store on the Windows
client. When the client connects, it is using the wrong certificate.

6. ruleset_drop_packet

If this appears in a log message with IKEv1 roaming clients where tunnel mode is used, it may be
caused by the client's local inner IP address being the same as the client's local outer IP address
for the tunnel. If this is the case, the log message will also have rule=Default_Access_Rule. The
problem is fixed by using config mode to allocate the client IP or using separate routing tables
for the tunnel and the data it carries. This issue is also discussed in Section 9.4.3, “Roaming Clients”.

9.8.6. Specific Symptoms

There are two specific symptoms that will be discussed in this section:

1. The tunnel can only be initiated from one side.
2. The tunnel is unable to be set up and the ikesnoop command reports a config mode XAuth
problem even though XAuth is not used.

1. The tunnel can only be initiated from one side

This is a common problem and is due to a mismatch of the size in local or remote network and/or
the lifetime settings on the proposal list(s).

To troubleshoot this it is necessary to examine the settings for the local network, remote
network, IKE proposal list and IPsec proposal list on both sides to try to identify a miss-match.

For example, suppose the following IPsec settings are at either end of a tunnel:

Side A

Local Network = 192.168.10.0/24
Remote Network = 10.10.10.0/24

Side B

Local Network = 10.10.10.0/24
Remote Network = 192.168.10.0/16

Chapter 9: VPN

654

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: