ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaja_5.4.0.1/rzajagetstartpd.htm

125 lines
8.9 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Get started with troubleshooting VPN" />
<meta name="abstract" content="Vie this information to begin finding and correcting your VPN connection problems." />
<meta name="description" content="Vie this information to begin finding and correcting your VPN connection problems." />
<meta name="DC.Relation" scheme="URI" content="rzajatroubleshootvpn.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajasystemreqs.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaerrorinfo.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajajoblogs.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaqipfilter.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajacomtrac.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajastartdyncon.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajagetstartpd" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Get started with troubleshooting VPN</title>
</head>
<body id="rzajagetstartpd"><a name="rzajagetstartpd"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Get started with troubleshooting VPN</h1>
<div><p>Vie this information to begin finding and correcting your VPN connection
problems.</p>
<div class="section">There are several ways to begin analyzing VPN problems:</div>
<ol><li><span>Always make sure that you have applied the latest Program Temporary
Fixes (PTFs).</span></li>
<li><span>Ensure that you meet the minimum VPN setup requirements.</span></li>
<li><span>Review any error messages that are found in the Error Information
window or in the VPN server job logs for both the local and the remote systems.
In fact, when you are troubleshooting VPN connection problems it is often
necessary to look at both ends of the connection. Further, you need to take
into account that there are four addresses you must check: The local and remote
connection endpoints, which are the addresses where IPSec is applied to the
IP packets, and the local and remote data endpoints, which are the source
and destination addresses of the IP packets.</span></li>
<li><span>If the error messages you find do not provide enough information
to solve the problem, check the IP filter journal.</span></li>
<li><span>The communication trace on the system offers you a another place
to find general information about whether the local system receives or sends
connection requests.</span></li>
<li><span>The Trace TCP Application (TRCTCPAPP) command provides yet another
way to isolate problems. Typically, IBM<sup>®</sup> Service uses TRCTCPAPP to obtain trace
output in order to analyze connection problems.</span></li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajatroubleshootvpn.htm" title="Refer to this topic when you experience problems with your VPN connections.">Troubleshoot VPN</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajasystemreqs.htm" title="Use this information to ensure that you meet the minimum requirements for creating a VPN connection.">VPN setup requirements</a></div>
<div><a href="rzajajoblogs.htm" title="Describes the various job logs that VPN uses.">Troubleshoot VPN with the VPN job logs</a></div>
<div><a href="rzajacomtrac.htm" title="">Troubleshoot VPN with the communications trace</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzajaerrorinfo.htm" title="Complete this task to help you determine why your connection is in error.">View error information</a></div>
<div><a href="rzajaqipfilter.htm" title="View this information to learn about VPN filter rules.">Troubleshoot VPN with the QIPFILTER journal</a></div>
<div><a href="rzajastartdyncon.htm" title="Complete this task to start connections you will initiate locally.">Start a VPN connection</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="otherthingstocheck"><a name="otherthingstocheck"><!-- --></a><h2 class="topictitle2">Other things to check</h2>
<div><div class="section">If an error occurs after you set up a connection, and you are not
sure where in the network the error occurred, try reducing the complexity
of your environment. For example, instead of investigating all parts of a
VPN connection at one time, start with the IP connection itself. The following
list gives you some basic guidelines on how to start VPN problem analysis,
from the simplest IP connection to the more complex VPN connection:</div>
<ol><li class="stepexpand"><span>Start with an IP configuration between the local and remote host.
Remove any IP filters on the interface that both the local and remote system
use for communicating. Can you PING from the local to the remote host?</span> <div class="note"><span class="notetitle">Note:</span> Remember to prompt on the PING command; enter the remote system
address and use PF10 for additional parameters, then enter the local IP address.
This is particularly important when you have multiple physical or logical
interfaces. It ensures that the right addresses are placed in the PING packets.</div>
<p>If
you answer <span class="uicontrol">yes</span>, then proceed to step 2. If you answer <span class="uicontrol">no</span>,
then check your IP configuration, interface status, and routing entries. If
the configuration is correct, use a communication trace to check, for example,
that a PING request leaves the system. If you send a PING request but you
receive no response, the problem is most likely the network or remote system.</p>
<div class="note"><span class="notetitle">Note:</span> There
may be intermediate routers or firewall that do IP packet filtering and may
be filtering the PING packets. PING is typically based on the ICMP protocol.
If the PING is successful, you know you have connectivity. If the PING is
unsuccessful, you only know the PING failed. You may want to try other IP
protocols between the two systems, such as Telnet or FTP to verify connectivity.</div>
</li>
<li class="stepexpand" id="otherthingstocheck__checkfilter"><a name="otherthingstocheck__checkfilter"><!-- --></a><span>Check the filter rules for VPN and ensure that
they are activated. Does filtering start successfully? If you answer <span class="uicontrol">yes</span>,
then proceed to step 3. If you answer <span class="uicontrol">no</span>, then check
for error messages in the Packet Rules window in <span class="keyword">iSeries™ Navigator</span>.
Ensure that the filter rules do not specify Network Address Translation (NAT)
for any VPN traffic.</span></li>
<li class="stepexpand" id="otherthingstocheck__startvpn"><a name="otherthingstocheck__startvpn"><!-- --></a><span>Start your VPN connection. Does the connection start
successfully? If you answer <span class="uicontrol">yes</span>, then proceed to step
4. If you answer <span class="uicontrol">no</span>, then check the QTOVMAN
job log, the QTOKVPNIKE job logs for errors. When you use VPN, your Internet
Service Provider (ISP) and every security gateway in your network must support
the Authentication Header (AH) and Encapsulated Security Payload (ESP) protocols.
Whether you choose to use AH or ESP depends on the proposals you define for
your VPN connection.</span></li>
<li class="stepexpand" id="otherthingstocheck__activateuser"><a name="otherthingstocheck__activateuser"><!-- --></a><span>Are you able to activate a user session over
the VPN connection? If you answer <span class="uicontrol">yes</span>, then the VPN
connection works as required. If you answer <span class="uicontrol">no</span>, then
check the packet rules and the VPN dynamic-key groups and connections for
filter definitions that do not allow the user traffic you want.</span></li>
</ol>
</div>
</div>
</body>
</html>