Router User Manual
Nortel Secure Router 8000 Series
Troubleshooting - VAS 2 IPSec and IKE troubleshooting
Issue 01.01 (30 March 2009) Nortel Networks Inc. 2-21
Figure 2-7 Troubleshooting flowchart of SA setup in Phase 2
Yes
No
Fail to set
up SAs in
Phase 2
Are adopted
ACLs on two ends
mutual-mirroring?
Are proposals
on two ends
consistent?
Succeed
to set up SAs in
Phase 1
The fault
disappears?
Remove faults
based on the Phase
1 SA troubleshooting
flow
The fault
disappears?
End
Modify IKE
proposal
configurations
The fault
disappears?
End
End
Modify ACLs
The fault
disappears?
End
Seek technical
support
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
No
2.3.4 Troubleshooting procedure
Step 1 Check whether two ends of the tunnel are reachable with no IPSec policy applied.
Use the undo ipsec policy command on two ends of the IPSec tunnel.
On PC A, ping PC B.
A failed ping indicates a faulty route or link between PC A and PC B. For information about
removing the fault, see Nortel Secure Router 8000 Series Troubleshooting - IP Routing
(NN46240-706).
If the ping succeeds, continue with the following steps.
Step 2 Check whether the SA is set up in Phase 1.