Panasonic 8000 User manual

Nortel Secure Router 8000 Series

Troubleshooting - VAS

Release:

Document Revision:

5.3

01.01

www.nortel.com

NN46240-709 324767-A

Nortel Secure Router 8000 Series

Release: 5.3

Publication: NN46240-709

Document status: Standard

Document release date: 30 March 2009

Printed in Canada, India, and the United States of America

LEGAL NOTICE

While the information in this document is believed to be accurate and reliable, except as otherwise expressly

agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF

ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are

subject to change without notice.

Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

ATTENTION

For information about the safety precautions, read "Safety messages" in this guide.

For information about the software license, read "Software license" in this guide.

Nortel Secure Router 8000 Series

Troubleshooting - VAS Contents

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

i

Contents

About this document.......................................................................................................................1

1 AAA troubleshooting................................................................................................................1-1

1.1 AAA overview.............................................................................................................................................1-2

1.1.1 AAA, RADIUS, and HWTACACS...................................................................................................1-2

1.1.2 Domains and address pool.................................................................................................................1-4

1.1.3 Schemes and modes ..........................................................................................................................1-5

1.1.4 Server templates ................................................................................................................................1-6

1.2 Troubleshooting local user authentication...................................................................................................1-6

1.2.1 Typical networking............................................................................................................................1-6

1.2.2 Configuration notes...........................................................................................................................1-7

1.2.3 Troubleshooting flowchart ................................................................................................................1-9

1.2.4 Troubleshooting procedure................................................................................................................1-9

1.3 Troubleshooting RADIUS authentication..................................................................................................1-10

1.3.1 Typical networking..........................................................................................................................1-11

1.3.2 Configuration notes.........................................................................................................................1-11

1.3.3 Troubleshooting flowchart ..............................................................................................................1-14

1.3.4 Troubleshooting procedure..............................................................................................................1-15

1.4 Troubleshooting HWTACAS authentication.............................................................................................1-17

1.4.1 Typical networking..........................................................................................................................1-17

1.4.2 Configuration notes.........................................................................................................................1-17

1.4.3 Troubleshooting flowchart ..............................................................................................................1-21

1.4.4 Troubleshooting procedure..............................................................................................................1-22

1.5 Troubleshooting cases ...............................................................................................................................1-23

1.5.1 FTP user fails to pass through RADIUS authentication..................................................................1-23

1.5.2 HWTACACS user fails to get the delivered address.......................................................................1-25

1.6 FAQs..........................................................................................................................................................1-26

1.7 Diagnostic tools.........................................................................................................................................1-30

1.7.1 Display commands ..........................................................................................................................1-30

1.7.2 Debugging commands.....................................................................................................................1-32

2 IPSec and IKE troubleshooting ...............................................................................................2-1

2.1 IPSec and IKE overview .............................................................................................................................2-3

Contents

Nortel Secure Router 8000 Series

Troubleshooting - VAS

ii

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

2.2 Troubleshooting manual IPSec SA setup.....................................................................................................2-6

2.2.1 Typical networking............................................................................................................................2-6

2.2.2 Configuration notes...........................................................................................................................2-6

2.2.3 Troubleshooting flowchart ..............................................................................................................2-11

2.2.4 Troubleshooting procedure..............................................................................................................2-12

2.3 Troubleshooting ISAKMP SA...................................................................................................................2-14

2.3.1 Typical networking..........................................................................................................................2-14

2.3.2 Configuration notes.........................................................................................................................2-15

2.3.3 Troubleshooting flowchart ..............................................................................................................2-19

2.3.4 Troubleshooting procedure..............................................................................................................2-21

2.4 Troubleshooting SA setup using an IPSec policy template .......................................................................2-24

2.4.1 Typical networking..........................................................................................................................2-24

2.4.2 Configuration notes.........................................................................................................................2-25

2.4.3 Troubleshooting flowchart ..............................................................................................................2-30

2.4.4 Troubleshooting procedure..............................................................................................................2-31

2.5 Troubleshooting NAT traversal in the IPSec tunnel ..................................................................................2-32

2.5.1 Typical networking..........................................................................................................................2-33

2.5.2 Configuration notes.........................................................................................................................2-33

2.5.3 Troubleshooting flowchart ..............................................................................................................2-40

2.5.4 Troubleshooting procedure..............................................................................................................2-41

2.6 Troubleshooting GRE over IPSec or L2TP over IPSec .............................................................................2-42

2.6.1 Typical networking..........................................................................................................................2-42

2.6.2 Configuration notes.........................................................................................................................2-43

2.6.3 Troubleshooting flowchart ..............................................................................................................2-46

2.6.4 Troubleshooting procedure..............................................................................................................2-47

2.7 Troubleshooting cases ...............................................................................................................................2-48

2.8 FAQs..........................................................................................................................................................2-49

2.9 Diagnostic tools.........................................................................................................................................2-50

2.9.1 Display commands ..........................................................................................................................2-50

2.9.2 Debugging commands.....................................................................................................................2-59

3 Firewall troubleshooting ..........................................................................................................3-1

3.1 Firewall........................................................................................................................................................3-2

3.2 Troubleshooting the firewall........................................................................................................................3-2

3.2.1 Networking environment...................................................................................................................3-3

3.2.2 Configuration notes...........................................................................................................................3-3

3.2.3 Diagnostic flowchart .........................................................................................................................3-3

3.2.4 Troubleshooting procedures ..............................................................................................................3-5

3.3 FAQs............................................................................................................................................................3-6

3.4 Diagnostic tools...........................................................................................................................................3-6

4 NAT troubleshooting ................................................................................................................4-1

4.1 NAT.............................................................................................................................................................4-2

Nortel Secure Router 8000 Series

Troubleshooting - VAS Contents

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

iii

4.1.1 NAT attributes ...................................................................................................................................4-2

4.1.2 NAT modes........................................................................................................................................4-3

4.1.3 Special protocols supported by the address translation .....................................................................4-3

4.2 Troubleshooting NAT Troubleshooting .......................................................................................................4-4

4.2.1 Typical Networking...........................................................................................................................4-4

4.2.2 Configuration notes...........................................................................................................................4-5

4.2.3 Troubleshooting flowchart ................................................................................................................4-6

4.2.4 Troubleshooting procedures ..............................................................................................................4-8

4.3 Troubleshooting cases .................................................................................................................................4-9

4.3.1 Internal Network Cannot Successfully Ping the External Network After NAT Is Configured on the

Router.........................................................................................................................................................4-9

4.4 FAQs..........................................................................................................................................................4-10

4.5 Diagnostic tools.........................................................................................................................................4-11

4.5.1 Display commands ..........................................................................................................................4-11

4.5.2 Debugging commands.....................................................................................................................4-19

Index ................................................................................................................................................ i-1

Nortel Secure Router 8000 Series

Troubleshooting - VAS Figures

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

v

Figures

Figure 1-1 RADIUS message structure ............................................................................................................1-2

Figure 1-2 Attribute format...............................................................................................................................1-3

Figure 1-3 Networking diagram of local authentication...................................................................................1-7

Figure 1-4 Troubleshooting flowchart of local user authentication..................................................................1-9

Figure 1-5 Networking diagram of RADIUS authentication..........................................................................1-11

Figure 1-6 Troubleshooting flowchart of RADIUS authentication.................................................................1-14

Figure 1-7 Networking diagram of HWTACAS authentication .....................................................................1-17

Figure 1-8 Troubleshooting flowchart of HWTACACS authentication .........................................................1-21

Figure 1-9 Networking diagram of RADIUS authentication..........................................................................1-23

Figure 1-10 Networking diagram of HWTACAS authentication ...................................................................1-25

Figure 2-1 Format of the transport mode packets.............................................................................................2-4

Figure 2-2 Format of the tunnel mode packets.................................................................................................2-4

Figure 2-3 Networking diagram of the manual IPSec SA setup .......................................................................2-6

Figure 2-4 Troubleshooting flowchart of IPSec SA manual setup..................................................................2-11

Figure 2-5 Networking diagram of setting up ISAKMP IPSec ......................................................................2-15

Figure 2-6 Troubleshooting flowchart of SA setup in Phase 1 .......................................................................2-20

Figure 2-7 Troubleshooting flowchart of SA setup in Phase 2 .......................................................................2-21

Figure 2-8 Networking diagram of setting up SA using an IPSec policy template.........................................2-25

Figure 2-9 Troubleshooting flowchart of setting up IPSec SA using an IPSec policy template.....................2-30

Figure 2-10 Networking diagram of IPSec NAT ............................................................................................2-33

Figure 2-11 Troubleshooting flowchart of NAT traversal in IPSec ................................................................2-40

Figure 2-12 Networking diagram of configuring IPSec .................................................................................2-43

Figure 2-13 Troubleshooting flowchart of GRE over IPSec...........................................................................2-46

Figure 2-14 Networking diagram of IPSec setup ...........................................................................................2-48

Figure 3-1 Networking of the firewall..............................................................................................................3-3

Figure 3-2 Diagnostic flowchart for faults on the firewall ...............................................................................3-4

Figures

Nortel Secure Router 8000 Series

Troubleshooting - VAS

vi

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

Figure 4-1 NAT principles................................................................................................................................4-2

Figure 4-2 NAPT working mode......................................................................................................................4-3

Figure 4-3 NAT networking..............................................................................................................................4-4

Figure 4-4 Networking of the load balancing, flow control and BT speed control on the NAT server ............4-5

Figure 4-5 troubleshooting flowchart ...............................................................................................................4-7

Figure 4-6 Internal network fails to ping the external network ........................................................................4-9

Nortel Secure Router 8000 Series

Troubleshooting - VAS Contents

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

i

Contents

About this document.......................................................................................................................1

Nortel Secure Router 8000 Series

Troubleshooting - VAS About this document

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

1

About this document

Overview

This section describes the organization of this document, product version, intended audience,

conventions, and update history.

Related versions

The following table lists the product versions related to this document.

Product Name Version

Nortel Secure Router 8000 Series V200R005

Intended audience

This document is intended for the following audience:

z

network operators

z

network administrators

z

network maintenance engineers

Organization

This document consists of three chapters related to Value Added Service (VAS)

troubleshooting and is organized as follows.

Chapter Description

1 AAA troubleshooting This chapter describes the troubleshooting procedure for the

Authentication, Authorization, and Accounting (AAA)

protocol; frequently asked questions (FAQ); and diagnostic

tools.

About this document

Nortel Secure Router 8000 Series

Troubleshooting - VAS

2

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

Chapter Description

2 IPSec and IKE

troubleshooting

This chapter describes troubleshooting procedures for IP

Security (IPSec) and Internet Key Exchange (IKE), FAQs,

and diagnostic tools.

3 Firewall

Troubleshooting

This chapter describes the troubleshooting procedure for

Firewall, FAQs, and diagnostic tools.

4 NAT troubleshooting This chapter describes the troubleshooting procedure for

Network Address Translation (NAT), FAQs, and diagnostic

tools.

Conventions

This section describes the symbol and text conventions used in this document

Symbol conventions

Symbol Description

Indicates a hazard with a high level of risk that, if not avoided,

can result in death or serious injury.

Indicates a hazard with a medium or low level of risk that, if

not avoided, can result in minor or moderate injury.

Indicates a potentially hazardous situation that, if not avoided,

can cause equipment damage, data loss, and performance

degradation, or unexpected results.

Indicates a tip that may help you solve a problem or save time.

Provides additional information to emphasize or supplement

important points of the main text.

General conventions

Convention Description

Times New Roman Normal paragraphs are in Times New Roman font.

Boldface

Names of files, directories, folders, and users are in

boldface. For example, log on as the user root.

Italic Book titles are in italics.

Courier New

Terminal display is in Courier New font.

Nortel Secure Router 8000 Series

Troubleshooting - VAS About this document

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

3

Command conventions

Convention Description

Boldface

The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in square brackets [ ] are

optional.

{ x | y | ... } Alternative items are grouped in braces and separated by

vertical bars. You can select one item.

[ x | y | ... ] Optional alternative items are grouped in square brackets

and separated by vertical bars. You can select one item or

no item.

{ x | y | ... } * Alternative items are grouped in braces and separated by

vertical bars. You can select a minimum of one item or a

maximum of all items.

[ x | y | ... ] *

Optional alternative items are grouped in square brackets

and separated by vertical bars. You can select no item or

multiple items.

&<1-n> The parameter before the ampersand sign (&) can be

repeated 1 to n times.

# A line starting with the number sign (#) contains comments.

GUI conventions

Convention Description

Boldface

Buttons, menus, parameters, tabs, windows, and dialog box

titles are in boldface. For example, click OK.

> Multilevel menus are in boldface and separated by the

right-angled bracket sign (>). For example, choose File >

Create > Folder.

Keyboard operation

Format Description

Key

Press the key. For example, press Enter and press Tab.

Key 1+Key 2

Press the keys concurrently. For example, Ctrl+Alt+A

means press the three keys concurrently.

Key 1, Key 2 Press the keys in sequence. For example, Alt, A means

press the two keys in sequence.

About this document

Nortel Secure Router 8000 Series

Troubleshooting - VAS

4

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

Mouse operation

Action Description

Click Select and release the primary mouse button without

moving the pointer.

Double-click Press the primary mouse button twice quickly without

moving the pointer.

Drag Press and hold the primary mouse button and move the

pointer to a new position.

Update history

Updates between document versions are cumulative. Therefore, the latest document version

contains all updates made to previous versions.

Updates in Issue 1.0 ( 6 June 2008 )

This is the first commercial release of this document.

Nortel Secure Router 8000 Series

Troubleshooting - VAS Contents

Issue 01.01 (30 March 2009) Nortel Networks Inc. i

Contents

1 AAA troubleshooting................................................................................................................1-1

1.1 AAA overview...............................................................................................................................................1-1

1.1.1 AAA, RADIUS, and HWTACACS......................................................................................................1-2

1.1.2 Domains and address pool ...................................................................................................................1-4

1.1.3 Schemes and modes .............................................................................................................................1-4

1.1.4 Server templates...................................................................................................................................1-5

1.2 Troubleshooting local user authentication.....................................................................................................1-6

1.2.1 Typical networking ..............................................................................................................................1-6

1.2.2 Configuration notes..............................................................................................................................1-7

1.2.3 Troubleshooting flowchart ...................................................................................................................1-9

1.3 Troubleshooting RADIUS authentication ...................................................................................................1-10

1.3.1 Typical networking ............................................................................................................................1-11

1.3.2 Configuration notes............................................................................................................................1-11

1.3.3 Troubleshooting flowchart .................................................................................................................1-14

1.3.4 Troubleshooting procedure ................................................................................................................1-15

1.4 Troubleshooting cases .................................................................................................................................1-17

1.4.1 FTP user fails to pass through RADIUS authentication.....................................................................1-17

1.4.2 HWTACACS user fails to get the delivered address......................................................................... 1-17

1.5 FAQs ...........................................................................................................................................................1-19

1.6 Diagnostic tools...........................................................................................................................................1-22

1.6.1 Display commands.............................................................................................................................1-22

1.6.2 Debugging commands........................................................................................................................1-25

Nortel Secure Router 8000 Series

Troubleshooting - VAS Figures

Issue 01.01 (30 March 2009) Nortel Networks Inc. iii

Figures

Figure 1-1 RADIUS message structure..............................................................................................................1-2

Figure 1-2 Attribute format ................................................................................................................................1-3

Figure 1-3 Networking diagram of local authentication.....................................................................................1-6

Figure 1-4 Troubleshooting flowchart of local user authentication....................................................................1-9

Figure 1-5 Networking diagram of RADIUS authentication............................................................................1-11

Figure 1-6 Troubleshooting flowchart of RADIUS authentication ..................................................................1-14

Figure 1-7 Networking diagram of HWTACAS authentication...................................................................... 1-15

Figure 1-8 Troubleshooting flowchart of HWTACACS authentication .......................................................... 1-16

Figure 1-9 Networking diagram of RADIUS authentication............................................................................1-17

Figure 1-10 Networking diagram of HWTACAS authentication .....................................................................1-19

Nortel Secure Router 8000 Series

Troubleshooting - VAS 1 AAA troubleshooting

Issue 01.01 (30 March 2009) Nortel Networks Inc. 1-1

1 AAA troubleshooting

About this chapter

The following table shows the contents of this chapter.

Section Description

1.1 AAA overview This section describes the concepts you need to know

before troubleshooting Authentication, Authorization, and

Accounting (AAA).

1.2 Troubleshooting local user

authentication

This section contains configuration notes for local user

authentication, and provides the local user authentication

troubleshooting flowchart and procedure for a typical

local user authentication network.

1.3 Troubleshooting RADIUS

authentication

This section contains configuration notes for RADIUS

authentication, and provides the RADIUS authentication

troubleshooting flowchart and procedure for a typical

RADIUS authentication network.

1.4 Troubleshooting cases This section presents several troubleshooting cases.

1.5 FAQs This section lists frequently asked questions (FAQs) and

their answers.

1.6 Diagnostic tools This section describes common diagnostic tools: display

commands and debugging commands.

1.1 AAA overview

This section describes the basic concepts of AAA, RADIUS, and HWTACACS.

1 AAA troubleshooting

Nortel Secure Router 8000 Series

Troubleshooting - VAS

1-2 Nortel Networks Inc. Issue 01.01 (30 March 2009)

1.1.1 AAA and RADIUS

AAA

Authentication, Authorization, and Accounting (AAA) contains the following three types of

security services.

z

Authentication: specifies what type of user can access the network.

z

Authorization: specifies what type of service the user can use.

z

Accounting: records the network resource utilization of the user.

AAA adopts the client/server model, in which the client runs on the resource side and the

server stores information about the user. This model is extensible and provides an effective

way to manage users.

The two communication protocols used between the client and the server are as follows:

z

Remote Authentication Dial-In User Service (RADIUS) protocol

z

Huawei Terminal Access Controller Access Control System (HWTACACS) protocol

(HWTACACS is an enhancement of TACACS)

RADIUS

RADIUS is used for communication between the Network Access Server (NAS) and the

RADIUS server on the application layer.

RADIUS adopts the client/server model in which the client runs on the resource side and the

server stores information about the user.

To ensure reliability, RADIUS supports User Datagram Protocol (UDP) packets and a

retransmission and backup server mechanism. The authentication and accounting ports used

by RADIUS are 1645/1646 or 1812/1813.

Figure 1-1 shows the RADIUS packet format.

Figure 1-1 RADIUS message structure

Authenticator

Code Identifier Length

Attribute......

01234567012345670123456701234567

1

2

3

4

5

6

The following list describes the RADIUS message structure:

z

Code—contains 1 byte, indicating the RADIUS message type. The common code values

are as follows.

Page is loading ...

Panasonic 8000 User manual

This manual is also suitable for

Panasonic 8000 User manual

Related papers

Other documents