HPE Ipsec Troubleshooting

HP6600_HSR6600_HSR6800 Routers
Troubleshooting Guide
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

herein is subject to change without notice. The only warranties for HP products and services are
set forth in the express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional warranty. HP shall not be
liable for technical or editorial errors or omissions contained herein.
Part number: 5998-5042

Contents
Troubleshooting application layer service failures ······································································································· 4

Service failures on an IP network ···································································································································· 4
Symptom ···································································································································································· 4
Solution ······································································································································································ 4
Service failures on an MPLS network ······························································································································ 5
Symptom ···································································································································································· 5
Solution ······································································································································································ 5
Related commands ···························································································································································· 5
Troubleshooting IPsec/IKE ·············································································································································· 6

The receiver discards IPsec packets from the router ······································································································ 6
Symptom ···································································································································································· 6
Solution ······································································································································································ 6
Core and branch devices cannot communicate after the core device restarts ··························································· 7
Symptom ···································································································································································· 7
Solution ······································································································································································ 7
Troubleshooting packet forwarding ······························································································································· 8
Packet loss or forwarding failure ····································································································································· 8
Symptom ···································································································································································· 8
Solution ······································································································································································ 8
Troubleshooting packet disorder ···································································································································· 9

CPOS MP link transient interruption or failure ··············································································································· 9
Symptom ···································································································································································· 9
Solution ··································································································································································· 10
Troubleshooting NAT ·····················································································································································10

Some services are not available after NAT is enabled ······························································································ 11
Symptom ································································································································································· 11
Solution ··································································································································································· 11
NAT fails but the ping operation succeeds ················································································································· 11
Symptom ································································································································································· 11
Solution ··································································································································································· 11
Internal users cannot always access the external network ························································································ 12
Symptom ································································································································································· 12
Solution ··································································································································································· 12
Low network speed, and no buffers for an interface·································································································· 13
Symptom ································································································································································· 13
Solution ··································································································································································· 13
Related commands ························································································································································· 13
Troubleshooting BAS ·····················································································································································14

L2TP link establishment failure when free IP address are available ········································································· 14
Symptom ································································································································································· 14
Solution ··································································································································································· 14
Troubleshooting L2TP ·····················································································································································15
L2TP link establishment failure caused by L2TP attacks ····························································································· 15
Symptom ································································································································································· 15
Solution ··································································································································································· 15
Troubleshooting transceiver modules ···························································································································16

Transceiver module information not updated ·············································································································· 16
Symptom ································································································································································· 16
Solution ··································································································································································· 16
Troubleshooting device interoperability issues ···········································································································16
BGP neighbor relationship failure or down ················································································································ 16
Symptom ································································································································································· 16
Solution ··································································································································································· 16
OSPF neighbor relationship establishment failure ······································································································ 17
Symptom ································································································································································· 17
Solution ··································································································································································· 17
OSPF neighbor relationship down ······························································································································· 18
Symptom ································································································································································· 18
Solution ··································································································································································· 18
OSPF route calculation error ········································································································································· 19
Symptom ································································································································································· 19
Solution ··································································································································································· 19
BFD session flapping······················································································································································ 19
Symptom ································································································································································· 19
Solution ··································································································································································· 19
An MP bundle has only one physical port in up state ····························································································· 20
Symptom ································································································································································· 20
Solution ··································································································································································· 20
HDLC interoperability failure ········································································································································ 20
Symptom ································································································································································· 20
Solution ··································································································································································· 20
E1 line cannot come up ················································································································································· 20
Symptom ································································································································································· 20
Solution ··································································································································································· 20
POS interface cannot work correctly ··························································································································· 21
Symptom ································································································································································· 21
Solution ··································································································································································· 21
ATM interoperability failure ·········································································································································· 21
Symptom ································································································································································· 21
Solution ··································································································································································· 22
Troubleshooting application layer service
failures
This section provides troubleshooting information for common problems with application layer
services.
Service failures on an IP network

Symptom
Two hosts on different network segments can ping each other, but they cannot receive data packets
from each other. The contents of the routing table and the FIB table of the router are correct.
Solution
To resolve the problem:
1. Execute the display ip statistics command to verify that the value of the couldn't fragment field
increases as the service continues.
2. Verify that the following services or applications exist in the network:
 Server access services.
 TCP-based services.
 Services that might transmit large packets, such as videos, images, encrypted data, and mass
data.
 GRE, IPSec, or transition applications.
3. Increase the MTU of the sending interface according to the receiving capacity of the card, link,
and the peer device.
4. Execute the tcp mss command to configure the TCP MSS on the interface.
If the size of a TCP segment is larger than the MSS of the receiving interface, the host fragments
the TCP segment according to the MSS of the receiving interface. This configuration takes effect
on only TCP connections that are established after the configuration.
5. If the problem persists, contact HP Support.
When you contact HP Support, provide the following information:
 Network topology.
 MTUs of the receiving and sending interfaces.
 System software image version.
Service failures on an MPLS network
Symptom
Two routers act as CEs to access an MPLS network. The contents of routing tables, LSP tables, FIB tables
for the MPUs and FIPs of the routers are correct, and the routers can ping each other.
However, a user service cannot operate correctly. The service might be unresponsive during operation.
Some packets are received, and most of the packets are lost.
Solution
1. Verify that the service meets the following conditions:
 It is a server access service.
 It is a TCP-based service.
 It is a service that might transmit large packets, such as video, image, encrypted data, or
mass data.
2. Execute the debugging mpls packet command to verify that a message (for example, "PketLen
1508 is larger than MPLS MTU 1500.") is displayed as the service continues.
3. Verify that the mpls mtu command has been executed on the MPLS-capable interfaces of the PE
connected to the routers.
Typically, the MPLS MTU is set to the value of the IP MTU + 64 bits (length of two labels).
4. Verify that the tcp mss command has been executed on the C devices, CEs, and PE-CE interfaces
of the PE connected to the routers.
This configuration takes effect only on TCP connections that are established after the
configuration and not on the TCP connections that already exist.
 MTUs of the receiving and sending interfaces.
 System software image version.
Related commands
This section lists the commands that you might use for troubleshooting MPLS.
Command Description
debugging mpls packet Enables MPLS packet debugging.
display ip statistics Displays IP packet statistics.

Troubleshooting IPsec/IKE
This section provides troubleshooting information for common problems with IPsec/IKE.
The receiver discards IPsec packets from the router

Symptom
The router generates IPsec packets with duplicate sequence numbers, resulting in packet discarding on
the receiver.
Example log message:
%Jul 3 09:23:20:448 2009 suihua IPSEC/3/DROP:
IPsec Packet discarded--Src IP:10.59.39.17 ||Dest IP:10.59.39.19 || SPI:27420519
93 || SN:338127 || Cause:anti-replay checking doesn't pass
Solution
1. Verify that the software version running on the router does not have this problem.
a. Use the display version command to display the system version.
b. Check the problem list in the release notes for this problem.
 If the current version has the problem, update it to a version that has solved this problem.
 If the current version does not has the problem, go to Step 2.
2. Verify that the following IPsec-related settings on the router and the receiver are correct:
 IKE peer ACL configuration is correct.
 IPsec SA/tunnels and IKE SAs have been correctly established.
 The number of IPsec tunnels does not exceed the maximum.
 Packet discarding reason. Identify the reason by executing the display ipsec statistics
command on the receiver.
 If packets are discarded due to authentication failures, it is because IPsec packets have a
large number of fragments, and the fragments have duplicate fragment IDs. Collect the
IPsec log message and send it to HP Support.
 If packets are discarded due to replay and the receiver is a multi-core device, the problem
is most likely caused by concurrent processing disorders.
 If packets are discarded due to replay and the receiver is a single-core device, the
problem is caused by the router (the sender). Capture IPsec packets sent by the router,
check the S field of the IPsec packets, and send the S field information to HP Support.
 IP packet statistics and interface information collected on the router by using the display ip
statistics command and the display interface command.
 Memory usage information collected on the router by using the display memory command.
 Device model and software version of the receiver.
Core and branch devices cannot communicate

after the core device restarts
Symptom
The router is the core device, and it has established IPsec tunnels with branch devices through IPsec
policy templates. After the core device restarts, the core and branch devices cannot communicate with
each other.
Solution
Because the router uses an IPsec policy template, the router does not initiate IKE negotiations. It only
responds to the IKE negotiations initiated by the branch devices to establish IKE SAs. After the router
restarts, the IKE SAs on the router are cleared, but the IKE SAs on the branch devices are not cleared.
When the branch devices have traffic to trigger establishment of IPsec SAs, the branch devices use the
old IKE SAs to negotiate the IPsec SAs, which will fail because the router has no IKE SAs.
1. Execute the reset ike sa command and the reset ipsec sa command on the branch devices.
The reset commands clear existing IKE SAs and IPsec SAs. After the SAs are cleared, traffic from
a branch to the core will trigger new IKE negotiation to establish new IPsec SAs.
2. Configure a keepalive timer and DPD on the core router and the branch devices.
Keepalive and DPD allow the devices to detect the failures of their peers in time. If the peer is
detected as dead, the local device deletes existing IKE SAs and IPsec SAs.
Related commands
This section lists the commands that you might use for troubleshooting IPsec/IKE.
Command Description
display current-configuration Displays the running configuration.
display diagnostic-information Displays or saves running statistics for multiple feature modules.
display ike sa Displays IKE SA information.
display interface Displays interface information.
display ipsec sa Displays IPsec SA information.
display ipsec statistics Displays IPsec packet statistics.
display ipsec tunnel Displays IPsec tunnel information.
display memory Displays memory usage statistics.
display version Displays system version information.

Command Description
reset ike sa Clears IKE SAs.
reset ipsec sa Clears IPsec SAs.
Troubleshooting packet forwarding

This section provides troubleshooting information for common problems with packet forwarding.
Packet loss or forwarding failure

Symptom
Packet loss or forwarding failure occurs in the following scenarios:
 The router with NAT enabled acts as the gateway. An ICMP echo request of 18000 bytes is sent
from an internal host to ping an external host.
 Two routes exist for an internal host to communicate with an external host. An ICMP echo request
exceeding 1472 bytes from an internal host is sent to an external host.
 A firewall is added to the network, and an ICMP echo request exceeding 1472 bytes is sent from
an internal host to an external host.
Solution
1. Display the memory usage to verify that there is sufficient memory.
2. Display session statistics to verify that packet loss exists.
3. Verify that the ARP entries on the router are correct.
4. Identify whether the throughput of the interface is too large:
 If the throughput of the interface is too large, remove the NAT or the firewall configuration.
 If the throughput of the interface is too small, perform the following steps:
 Execute the debugging ip packet, debugging nat packet, and debugging nat event
commands.
 Capture the packets on the hosts to check whether packet disorder occurs.
If packet disorder occurs, configure the IP virtual fragment reassembly on the receiving
interface of the router.
Related commands
This section lists the commands that you might use for troubleshooting packet forwarding.
Command Description
debugging ip packet Enables IP packet debugging.
debugging nat event Enables NAT event debugging.
debugging nat packet Enables NAT packet debugging.
Displays the operating statistics for multiple feature modules in the

display diagnostic-information
system.
display interface Displays Ethernet interface information.
display ip statistics Displays IP packet statistics.
display memory Displays memory usage.
display nat statistics Displays NAT statistics.
display session statistics Displays session statistics.
Troubleshooting packet disorder

This section provides troubleshooting information for packet disorder problems.
CPOS MP link transient interruption or failure

Symptom
A CPOS MP link and its physical interfaces go down and up. The following is a sample output:
%Oct 13 22:29:48:638 2010 GZ-KF-R-6608-02 IFNET/4/LINK UPDOWN:
Serial3/1/0/7:0: link status is DOWN
%Oct 13 22:29:48:639 2010 GZ-KF-R-6608-02 IFNET/4/UPDOWN:
Line protocol on the interface Serial3/1/0/7:0 is DOWN
Mp-group3/0/0: link status is DOWN
Line protocol on the interface Mp-group3/0/0 is DOWN
Protocol PPP IPCP on the interface Mp-group3/0/0 is DOWN
%Oct 13 22:29:48:864 2010 GZ-KF-R-6608-02 RM/3/RMLOG:
BGP.: 128.32.242.13 State is changed from ESTABLISHED to IDLE.
Serial3/1/0/7:0: link status is UP
Line protocol on the interface Serial3/1/0/7:0 is UP
Mp-group3/0/0: link status is UP
Line protocol on the interface Mp-group3/0/0 is UP
Protocol PPP IPCP on the interface Mp-group3/0/0 is UP
Solution
This symptom can be seen if packet disorder occurs on the MP link and the disordered packets
overflow the reassembly queue on the MP link. To forward subsequent packets, the automatic recovery
function performs new MP negotiation and clears the reassembly queue, resulting in link down and up
events.
1. Contact the provider to examine line quality. If the problem still persists, go to Step 2.
2. Execute the ppp mp soft-binding command to use soft-binding for the MP link.
By default, the MP link uses hard-binding. Soft-binding has lower performance than hard-binding
when large amounts of traffic exist.
3. Execute the ppp mp min-fragment 1500 command to set the minimum MP packet fragmentation
size to 1500 bytes.
4. Execute the shutdown command on all physical interfaces of the MP link.
5. Execute the undo shutdown command on all physical interfaces of the MP link.
6. On the peer device, set the minimum MP packet fragmentation size to 1500 bytes.
Troubleshooting NAT
This section provides troubleshooting information for common problems with NAT.
Some services are not available after NAT is
enabled
Symptom
Internal users access the external websites through a gateway (the router). The SSL application on the
server specifies that the client IP cannot change. After NAT is enabled on the router, internal users can
only access some websites and some services are not available.
Solution
1. Verify that two or more routers act as the gateways with NAT enabled.
2. Verify that destination address changes by analyzing captured packets.
3. Use the destination address and routing information to verify that packets from the same source
are forwarded out of multiple interfaces.
If packets are forwarded out of multiple interfaces, NAT selects addresses from different address
pools to perform address translation. The source addresses for the NATed packets are different.
However, the client IP cannot change for the SSL server. Therefore, some services are not
available.
4. Adjust routing configuration to make sure packets from the same source are forwarded out of one
interface.
5. Configure PBR based on source IP address to perform traffic load sharing.
NAT fails but the ping operation succeeds

Symptom
The router acts as the gateway of the network. Internal users cannot access the external network, and
external users cannot access the internal server. When you ping the router's output interface from the
external network, the ping operation succeeds.
Solution
1. Verify that the NAT address pool and the IP address of the output interface are in the same
subnet.
If they are not in the same subnet, assign the output interface an IP address in the subnet of the
NAT address pool. Make sure the IP address is not in the address pool.
2. If the problem persists, use one of the following methods to locate the problem:
a. Execute the debugging arp packet command and the debugging ip packet acl command to
enable ARP debugging and IP packet debugging.
b. Use the ping operation to verify that the physical link is correct:
 Ping the external network from the internal network.
 Capture the ping packets.
 If the ping packets cannot be sent out, or they do not have responses, verify that the
physical link operates correctly.
Internal users cannot always access the external

network
Symptom
Two routers act as the gateways for the network. When NO-PAT is configured on output interfaces of
both gateways, internal users cannot always access the external network.
Solution
1. Execute the debugging nat packet command to enable NAT debugging.
When an internal user accesses the external network, the following debugging information is
displayed:
*Nov 27 10:14:35:860 2007 6608_1 DPNAT/7/debug:Slot=2;
(GigabitEthernet2/0/0-out:)Pro : ICMP
( 1.1.1.2: --- - 10.10.10.2: --- ) ------>
( 10.10.10.100: --- - 10.10.10.2: --- )
(GigabitEthernet2/0/0-in:)Pro : ICMP
( 10.10.10.2: --- - 10.10.10.100: --- ) ------>
( 10.10.10.2: --- - 1.1.1.2: --- )
The output shows that NAT is performed on GigabitEthernet 2/0/0 of one router. The other
router has no debugging output.
2. Ping the public IP address of the other router from the same internal user to verify that address
translation is not correctly performed. In this example, the public IP address is 20.20.20.2.
The ping operation fails. The following debugging information is displayed:
(GigabitEthernet2/2/7-out:)Pro : ICMP
( 1.1.1.2: --- - 20.20.20.2: --- ) ------>
( 10.10.10.100: --- - 20.20.20.2: --- )
On GigabitEthernet 2/2/7, NAT translates the source IP address of the outgoing packets to
10.10.10.100 according to the existing session entry on GigabitEthernet 2/0/0. The interface
receives no replies.
3. Reconfigure NAT on the two gateways by using one of the following methods:
a. Use an ACL in one NO-PAT configuration to specify that a private address can only be
NO-PATed on one NAT interface.
A private address cannot be NO-PATed on multiple interfaces.
b. Configured PAT on both gateways.
c. Configure NO-PAT on one gateway, and PAT on the other gateway.
Low network speed, and no buffers for an interface

Symptom
The router acts as the gateway. The network speed is low, and the display interface command output
shows no buffers.
Solution
1. Execute the display current-configuration command and the display version command to verify
the version and device configuration.
2. Verify that the session statistics do not exceed the upper limit:
a. Execute the display session statistics command and the display session table verbose
command to display session statistics and session entries.
b. Execute the display memory command to display memory usage.
3. Execute the display interface command to verify that the traffic rates do not reach the
performance upper limit.
4. Execute the display diagnostic-information command to verify that the device runs correctly.
5. Execute the display session table verbose command to verify that the bandwidth is not occupied
by P2P traffic.
If P2P traffic exists, it occupies large fraction of the network bandwidth. The other services are
affected.
Related commands
This section lists the commands that you might use for troubleshooting NAT.
Command Description
debugging arp packet Enables ARP packet debugging.
Enables debugging for IP packets matching a

debugging ip packet acl
specific ACL.
debugging nat packet Enables NAT packet debugging.

Command Description
Displays the operating statistics for multiple feature

modules in the system.
display memory Displays memory usage.
display session relation Displays relation entries.
display session statistics Displays session statistics.
display session table verbose Displays detailed information about session entries.
Troubleshooting BAS
This section provides troubleshooting information for common problems with BAS.
L2TP link establishment failure when free IP address

are available
Symptom
When the router acts as the LNS, some L2TP users obtain IP addresses and come online. However,
subsequent L2TP users fail to come online even though the router still has free IP addresses.
Solution
1. Execute the display l2tp session command to view the number of online users.
2. Display the configuration file to view the number of assignable IP addresses in IP pools.
3. Verify that the number of online users are less than the number assignable IP addresses.
4. Execute the debugging ppp all command to verify whether address conflicts exist.
The clients that use fixed IP addresses directly perform PPP negotiation with the router. AAA
considers these IP addresses are idle and assigns the IP addresses to other clients. Address
conflicts occur and the following information appears:
PPP Error:
Virtual-Template0:250 IPCP : Ipcp_upcheck: Peer IP address conflicts!
5. Execute the ppp ipcp remote-address forced command on the VT interface and reboot the router.
Related commands
This section lists the commands that you might use for troubleshooting BAS.
Command Description
debugging ppp all Enables all PPP debugging.
display diagnostic-information Displays or saves diagnostic information.
display l2tp session Displays L2TP sessions.
Troubleshooting L2TP
This section provides troubleshooting information for common problems with L2TP.
L2TP link establishment failure caused by L2TP

attacks
Symptom
L2TP users fail to establish links because L2TP attacks send large numbers of L2TP packets.
Solution
To resolve this problem:
1. Execute the debugging l2tp all command to collect L2TP attack information.
2. Find and eliminate the attack source.
3. Apply a firewall in inbound direction to filter attack packets.
Related commands
This section lists the commands that you might use for troubleshooting L2TP.
Command Description
debugging l2tp all Enable all L2TP debugging.
display diagnostic-information Displays or saves diagnostic information.
display l2tp session Displays L2TP sessions.
display l2tp tunnel Displays L2TP tunnels.

Troubleshooting transceiver modules
This section provides troubleshooting information for transceiver module problems.
Transceiver module information not updated

Symptom
A transceiver module has been replaced, but transceiver module information is not updated.
Solution
1. Remove the transceiver module.
2. Wait at least 5 seconds, and then insert the transceiver module.
The router polls a transceiver module every 5 seconds. It updates transceiver module information
only when it detects a replacement. If you replace a transceiver module within 5 seconds, the
router might not detect the replacement and therefore fails to update transceiver module
information.
Troubleshooting device interoperability issues

This section provides troubleshooting information for common problems with device interoperability.
BGP neighbor relationship failure or down

Symptom
The router cannot establish a BGP neighbor relationship with a device from another vendor, or the
neighbor relationship suddenly breaks down.
Solution
1. Check whether the following settings of the local device and those of the peer device are
matched:
 IP address.
 AS configuration and connection type.
 BGP capability.
 Router ID.
If they are not matched, modify the configuration so that they match.
2. Check whether the local device and the peer device support 4-byte AS numbers. Check whether
message "Receiving unsupported capability 65" is displayed.
If the peer device does not support 4-byte AS numbers, perform one of the following tasks:
a. Upgrade the peer device to a version supporting 4-byte AS numbers.
b. Execute the peer capability-advertise suppress-4-byte-as command on the local device to
enable 4-byte AS number suppression.
3. Verify that keepalive messages are forwarded correctly between the local device and the peer
device.
Execute the debugging bgp keepalive receive verbose command, and check whether keepalive
messages are received within 3 minutes.
 If keepalive messages are received within 3 minutes, verify the following:
 The keepalive messages are processed.
 The LPU and the IPC channel for the MPU are operating correctly. For more information,
see the solution for IPC channels.
 If no keepalive messages are received within 3 minutes, perform troubleshooting on the peer
device to find the reason why no keepalive messages are sent out.
NOTE:
Some devices from other manufacturers support using update messages to represent keepalive
messages. After sending an update message, the device does not need to send keepalive messages
within a specified period of time. The device considers that a peer is active when it receives update
messages from the peer.

 System software image version of the local device and the peer device.
 Log information.
 Keepalive, open, and event debugging information.
OSPF neighbor relationship establishment failure

Symptom
The router cannot establish neighbor relationship with a non-HP peer device.
Solution
1. Verify that the following configurations on the local and peer devices are consistent:
 Area ID.
 Area type.
 Interface network type.
 Area authentication password.
 Ethernet or NBMA network mask.
Otherwise, the neighbor relationship cannot be established.
You can use the display ospf error command to display OSPF error information for your
reference.
<HP> display ospf error
OSPF Process 1 with Router ID 1.1.1.1

OSPF Packet Error Statistics
0 : OSPF Router ID confusion 0 : OSPF bad packet

0 : OSPF bad version 0 : OSPF bad checksum
0 : OSPF bad area ID 0: OSPF drop on unnumbered interface
0 : OSPF bad virtual link 0 : OSPF bad authentication type
0 : OSPF bad authentication key 0 : OSPF packet too small
0 : OSPF Neighbor state low 0 : OSPF transmit error
0 : OSPF interface down 0 : OSPF unknown neighbor
0 : HELLO: Netmask mismatch 0 : HELLO: Hello timer mismatch
0 : HELLO: Dead timer mismatch 0 : HELLO: Extern option mismatch
0 : HELLO: Neighbor unknown 0 : DD: MTU option mismatch
0 : DD: Unknown LSA type 0 : DD: Extern option mismatch
0 : LS ACK: Bad ack 0 : LS ACK: Unknown LSA type
0 : LS REQ: Empty request 0 : LS REQ: Bad request
0 : LS UPD: LSA checksum bad 0: LS UPD: Received less recent LSA
0 : LS UPD: Unknown LSA type

When you contact HP Support, provide the network topology and software versions of the
devices.
OSPF neighbor relationship down

Symptom
The neighbor relationship between the router and a non-HP peer device goes down. The OSPF log
information and OSPF hello packet debugging information show that no hello packets are received
before the dead timer expires.
Solution
To resolve the problem, display OSPF log information and check bad (illegal) packet statistics.
 If no illegal packets are received before the dead timer expires, troubleshoot the peer device.
 If illegal packets are not received before the dead timer expires, perform the following tasks:
a. Execute the debugging ospf packet hello command to confirm that no hello packet is
received.
b. Collect OSPF debugging information and capture packets.
c. Contact HP Support. When you contact HP Support, provide the following information:
 OSPF log information.
 OSPF debugging information.
 OSPF error information.
 Information about captured packets.
OSPF route calculation error

Symptom
Route calculation error occurs after a neighbor relationship is established.
Solution
To resolve the problem, contact HP support and provide OSPF LSDB and routing table information.
BFD session flapping

Symptom
When a large amount of traffic exists in the network, the echo mode BFD session on the peer of the
router flaps.
Solution
1. Verify that busty traffic exceeding port bandwidth exists in the network.
The router assigns high priority to BFD echo packets it sends, and forwards BFD packets from the
peer as common packets. When the link is congested, packet loss might occur, causing BFD
session flapping.
2. View port statistics to verify that dropped packet count exists in the FIFO queue.
3. Put BFD packets into high priority queue for forwarding through QoS (PQ or CBQ) on the router.
An MP bundle has only one physical port in up
state
Symptom
On a multi-card MP bundle, only one physical interface is up, and line protocols on other physical
interfaces are flapping.
Solution
1. Execute the ppp mp soft-binding command to use soft-binding for the multi-card MP bundle.
When you contact HP Support, provide diagnostic information.
HDLC interoperability failure

Symptom
An interface enabled with HDLC encapsulation cannot interoperate with devices from some other
vendors.
Solution
1. Verify that the two ends can interoperate after being enabled with another link layer protocol (for
example, PPP).
2. Execute the debugging hdlc keepalive command to verify that HDLC is not disabled for failing to
receive keepalive packets.
3. Execute the display interface serial and debugging hdlc all commands and provide the serial
interface statistics and HDLC debugging information to HP Support.
E1 line cannot come up

Symptom
The serial port channelized from E1 line receives a large amount of error packets, and the physical link
and link layer protocol for the interface cannot come up.
Solution
1. Check system logs and console information for error packet prompts.
2. Execute the display interface serial and display controller e1 commands to identify whether there
are a large amount of error packets.
3. Execute the display interface serial and display controller e1 commands to identify whether error
packet diffusion restraint is enabled.
By default, the 6600, HSR6600, and HSR6800 routers are enabled with the error packet
diffusion restraint function.
4. Execute the undo error-diffusion restraint enable command to disable error packet diffusion
restraint.
5. Examine the line. If it is a line problem, contact the service provider.
When you contact HP Support, provide diagnostic information and log files.
POS interface cannot work correctly

Symptom
The POS interface is in one of the following conditions:
 The POS interface flaps up and down continually.
 The POS interface or its physical link cannot come up.
 The remote end cannot be pinged.
Solution
1. Verify that the clock mode is master on one end and slave on the other.
The default clock mode is slave mode for the POS interfaces on the router.
2. Verify that settings for the following items are the same between the two ends:
 J0 and J1 overhead bytes.
 Framing format.
 Payload scrambling setting.
When you contact HP Support, provide POS interface error messages, and the software versions
and configuration files of the two devices.
ATM interoperability failure

Symptom
HP devices and devices of some vendors cannot communicate when using the default configuration.
ATM PVCs cannot be up.
Solution
1. Verify that one clock is the internal transmission clock (master) and the other is the line clock (slave)
of the two ends on the same line.
By default, the clock mode of the POS interface on the 6600/HSR6600/HSR6800 router is slave.
If both ends are in slave mode or master mode, the devices go down and then come up
frequently.
2. Verify that the frame format on the local device is consistent with the peer device.
If the frame format on the local device is not consistent with the peer device, the PVC cannot be
up. For a Cisco device, the atm sonet stm-1 command is used to configure the SDH frame format.
To view the frame format, scrambling status, clock mode, and PVC number, use the show atm
interface atm x/x/x command.
3. Verify that the AAL5 encapsulation type on the local device is consistent with the peer device.
Devices of most vendors uses the same AAL5 encapsulation type as HP devices. To implement
communication, make sure the AAL5 encapsulation types of the local and peer devices are
consistent.
4. Verify that the mappings between the local and peer devices have been established, and the
parameters are consistent.
If the mappings have not been established or the parameters are not consistent, the devices
cannot communicate with each other, or multicast packets cannot be forwarded between them.
5. Verify that OAM is not configured on the line that does not support OAM.
The peer device configured with the FR encapsulation type might not support OAMPDUs. The
ATM switch might not support transparent transmission of OAMPDUs. On such a line, do not
configure OAM. Otherwise, the PVC might go down.
 Current configuration, interface information, and PVC information of the interface on the peer
device.
 Line information of the interface on the peer device (for example, the information obtained by
using the show atm interface command on a Cisco device).
 Mapping information of the interfaces on the local and peer devices.
Related commands
This section lists the commands that you might use for troubleshooting ATM.
Command Description
debugging bgp keepalive receive verbose Enables debugging for BGP keepalive packets.
debugging hdlc all Enables all types of HDLC debugging.
debugging ospf packet hello Enables debugging for OSPF hello packets.
display atm pvc-info interface atm x/x/x pvc x/x Displays information about a PVC.

Command Description
Displays or saves running status data for multiple

feature modules.
display interface atm Displays ATM interface information.
display interface pos Displays POS interface information.
display interface serial Displays serial interface information.
display ospf error Displays OSPF error information.
display ospf lsdb Displays OSPF LSDB information.
display ospf routing Displays OSPF routing table information.
peer capability-advertise suppress-4-byte-as Enables 4-byte AS number suppression.

HPE Ipsec Troubleshooting

Uploaded by

Copyright:

Available Formats

HPE Ipsec Troubleshooting

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HPE Ipsec Troubleshooting

Uploaded by

Copyright:

Available Formats

HP6600_HSR6600_HSR6800 Routers

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

Part number: 5998-5042

Troubleshooting application layer service failures ······································································································· 4

Troubleshooting packet disorder ···································································································································· 9

Troubleshooting transceiver modules ···························································································································16

Service failures on an IP network

debugging mpls packet Enables MPLS packet debugging.

display ip statistics Displays IP packet statistics.

The receiver discards IPsec packets from the router

Core and branch devices cannot communicate

display current-configuration Displays the running configuration.

display ike sa Displays IKE SA information.

display interface Displays interface information.

display ipsec sa Displays IPsec SA information.

display ipsec statistics Displays IPsec packet statistics.

display ipsec tunnel Displays IPsec tunnel information.

display memory Displays memory usage statistics.

display version Displays system version information.

reset ike sa Clears IKE SAs.

reset ipsec sa Clears IPsec SAs.

Troubleshooting packet forwarding

Packet loss or forwarding failure

debugging ip packet Enables IP packet debugging.

debugging nat event Enables NAT event debugging.

debugging nat packet Enables NAT packet debugging.

Displays the operating statistics for multiple feature modules in the

display interface Displays Ethernet interface information.

display ip statistics Displays IP packet statistics.

display memory Displays memory usage.

display nat statistics Displays NAT statistics.

display session statistics Displays session statistics.

display version Displays system version information.

Troubleshooting packet disorder

CPOS MP link transient interruption or failure

NAT fails but the ping operation succeeds

Internal users cannot always access the external

Low network speed, and no buffers for an interface

debugging arp packet Enables ARP packet debugging.

Enables debugging for IP packets matching a

debugging nat packet Enables NAT packet debugging.

display current-configuration Displays the running configuration.

Displays the operating statistics for multiple feature

display interface Displays interface information.

display memory Displays memory usage.

display session relation Displays relation entries.

display session statistics Displays session statistics.

display version Displays system version information.

L2TP link establishment failure when free IP address

debugging ppp all Enables all PPP debugging.

display diagnostic-information Displays or saves diagnostic information.

display l2tp session Displays L2TP sessions.

L2TP link establishment failure caused by L2TP

debugging l2tp all Enable all L2TP debugging.

display diagnostic-information Displays or saves diagnostic information.

display l2tp session Displays L2TP sessions.

display l2tp tunnel Displays L2TP tunnels.

Transceiver module information not updated

Troubleshooting device interoperability issues