Figure 12-14
Troubleshooting flowchart for a failure of NAT traversal in IPSec
Can both interfaces be
pinged?
IKE SAs fail to be
established by NAT
traversal in IPSec
See "Ping
Operation
Failed"
No
Are configurations of
IKE peers correct?
Modify
configurations of
IKE peers
Yes
Yes
No
Are IKE proposals of
IKE peers the same?
Modify
configurations to
be the same
Yes
No
End
Seek technical support
Is fault
rectified?
Is fault
rectified?
Is fault
rectified?
No
Yes
Yes
Yes
No
No
Troubleshooting Procedure
NOTE
Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault,
you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1
Check whether the IPSec SA and IKE SA are established successfully.
Run the
display ike sa
command to check the SAs established by a peer in certain phases
according to the
Peer
,
Flag
, and
Phase
fields. The command output shows that the peer at
30.0.0.0 establishes the IKE SA in phase 1 and the IPSec SA in phase 2 by using IKE negotiation.
<RouterA>
display ike sa
Conn-ID
Peer
VPN
Flag(s)
Phase
---------------------------------------------------------------
397 30.0.0.1 0 RD 2
367 30.0.0.1 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
Huawei AR2200-S Series Enterprise Routers
Troubleshooting
12 VPN
Issue 01 (2012-01-06)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
368