Manualshelf

Specifications

ManualsBrandsAlcatel ManualsComputer equipmentOmniAccess AP61
621622623624625626627628629630
Troubleshooting AOS-W Environments 607
Chapter 27
VPN Dialer displays “No Alcatel switches detected”
When this error message is displayed, it indicates that the VPN dialer could
not verify that the client was associated to an Alcatel switch. The mechanism
used to determine if an Alcatel switch is present is a DNS lookup. If the client
is associated to an Alcatel switch, the DNS request will be intercepted by the
Alcatel switch and a response sent back to the client.
The likely cause of this error message is that the client has no DNS server
configured or learned through DHCP. If the client has no DNS server to use
for lookups, the client will not generate DNS requests, and the Alcatel switch
will not be able to intercept the request and respond to it. There are three
possible solutions:
z Configure the DHCP server so that it supplies clients with a DNS server
address.
z Statically configure the client with the address of a DNS server.
z In the Alcatel VPN dialer, turn off the option labeled “Wait for wireless”.
Note that with this option disabled, the VPN dialer will try to establish a
connection any time the wireless NIC is connected to a network and has
an IP address.
VPN Dialer displays “There was no answer”
This is a generic message indicating that the VPN client was unable to
connect. Common causes are a mismatch between the dialer configuration
on the client and the VPN configuration on the switch, or an internal Windows
error.
z Examine log files on the Alcatel switch. First, examine the output of
“show log crypto”. The following error messages are common:
z NO_PROPOSAL_CHOSEN: Indicates the client and switch are not con-
figured in a like manner. If using the Alcatel dialer, verify that the life-
time, encryption, and hash for both IKE and IPSec match.
z INVALID_HASH_INFORMATION: Indicates that the client and switch's
IKE pre-shared keys do not match. If using a 3
rd
-party VPN client, the
IKE pre-shared key is sometimes called the "group key" or "group pass-
word".
z INVALID_PAYLOAD_TYPE, INVALID_COOKIE, and
PAYLOAD_MALFORMED: May indicate that the IKE pre-shared key
does not match between the client and switch.
z Examine the output of “show crypto isakmp sa”. This command will list all
IKE security associations (SAs) currently active in the switch. If no SA
appears for the client in question, it is likely that the IKE pre-shared keys do
not match between the client and switch.