Router User Manual
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-48 Nortel Networks Inc. Issue 01.01 (30 March 2009)
2.7 Troubleshooting cases
Fault symptom
Figure 2-14 shows a diagram of IPSec SA setup in ISAKMP mode.
Figure 2-14 Networking diagram of IPSec setup
Pos1/0/1
202.38.163.1
Pos2/0/1
202.38.162.1
10.1.2.1
10.1.2.210.1.1.2
10.1.1.1
Internet
Router A
Router B
After Router A is restarted, the IPSec tunnel fails.
Fault analysis
z
Use the debugging ipsec packet command on Router B. IPSec packets sent from Router
B to Router A can be encapsulated.
z
Use the debugging ipsec packet command on Router A. Packet decapsulation on Router
A fails.
z
Use the display ipsec sa command on Router A and Router B. You cannot find the SA on
Router A.
The cause for this fault may be that the default timeout period for the ISAKMP SA to wait for
Keep Alive packets is not configured. After Router A is restarted, Router B is not notified to
remove the corresponding SA. Router B continues to use the previous SA.
Enable the keep-alive function of ISAKMP SA to remove this fault. If the SA duration
exceeds the keep-alive value, remove SAs on both ends and reinitiate a negotiation.
Troubleshooting procedure
Step 1 Use the reset ipsec sa command or the reset ike sa command in the system view to remove
the corresponding SA from Router B.
Step 2 Use the ike sa keepalive-timer interval second command in the system views of Router A
and Router B to specify the interval at which Keep Alive packets are sent.
Step 3 Use the ike sa keepalive-timer timeout seconds command in the system views of Router A
and Router B to specify the timeout period for waiting for Keep Alive packets sent from the
peer of ISAKMP SA.
Step 4 Save the configuration.
After completing the previous steps, the IPSec tunnel can operate normally.
----End