plain routing will fail. If the NAT-translation shows up in the NAT-translation table, then
very likely, the firewall is working fine.
• Is an ALG at fault?
- See the "Troubleshooting Firewall" section.
• Does the packet leave the firewall?
- See the "Troubleshooting Firewall" section.
• Is the return packet routing back to the Secure Router?
- Watch the output of debug firewall packet or use a packet sniffer on the
untrusted/public side. If a packet does not return to the router, confirm that the egress
packet was actually NATted. Otherwise, a non-returning packet indicates a problem
outside the NATting secure router.
Common errors
•
See the "Troubleshooting Firewall” section. A proper nat-failover configuration is the
conjunction of two necessary commands.
a. On the firewall policy, name the primary egress interface, for example: policy
1000 out nat-ip wan1
b. In the firewall global area, name the backup interface, for example: firewall
global nat-failover wan1 wan2
Troubleshooting VPN
This section details techniques used to troubleshoot VPN.
Before getting started
Avaya
Secure Routers offer an IPsec VPN capability for IPv4 networks. IPsec VPNs offer the
security services of privacy (encryption), data integrity (hashed message authentication
codes), peer authentication (through IKE), replay protection and access control (through policy
filtering). These security services are provided to protected networks beyond the security
gateways. IPsec VPN relationships always involve a set of exactly two IPsec peer security
gateways and some number of protected networks on the trusted side of each gateway.
To troubleshoot a site to site VPN you need a network map. The network map must accurately
reveal the security gateways, with their public addresses, protected networks, and interface
names all labeled. A VPN map may or may not be a secret document depending upon site
Troubleshooting security
204 Troubleshooting August 2013
Comments? infodev@avaya.com
To Next Page
Loading...
