Troubleshooting Static VPN Peer to Peer
Use
the following steps to troubleshoot Static routing over VPN (where nailed-up configuration
and periodic DPD are optional).
Procedure steps
1. To verify that the internal VPN accelerator card is installed on the SR2330/4134,
enter:
show chassis
For the SR4134, verify that internal card type VPN_A is installed.
For the SR2330, verify that internal card type SCIM_A is installed.
2. To display the interface configuration, enter:
show ip interfaces brief
show interface ethernet <slot/port>
Verify that the public VPN interface is up and has the correct IP address
configured.
3. To display the crypto interface configuration, enter:
show crypto interfaces
Verify that the public VPN interface is configured as an untrusted interface, and that
the internal network interfaces are configured as trusted interfaces.
Similarly, you can use the show firewall interface all command to verify
that the public VPN interface is a member of the internet zone, and that the internal
network interfaces are members of the corp zone (or another user-configured
trusted zone).
show firewall interface all
4. The SR2330/4134 automatically creates firewall maps, internet and corp, at boot-
up. (You can also create custom firewall maps.)
To display the firewall configuration, enter:
show firewall policy corp
show firewall policy internet
You must verify that the following policies exist:
Troubleshooting Static VPN Peer to Peer
Troubleshooting August 2013 213
To Next Page
Loading...
