Appendix A describes files for troubleshooting the VPN 3002 and LED indicators on the system. It also describes common errors that might occur while configuring and using the system, and how to correct them.

Files for Troubleshooting

The VPN 3002 Hardware Client creates several files that you can examine and that can assist Cisco support engineers when troubleshooting errors and problems:

Event log.
SAVELOG.TXT—Event log that is automatically saved when the system crashes and when it is rebooted.
CRSHDUMP.TXT—Internal system data file that is written when the system crashes.
CONFIG—Normal configuration file used to boot the system.
CONFIG.BAK—Backup configuration file.

Event Logs

The VPN 3002 records system events in the event log, which is stored in nonvolatile memory (NVRAM). To troubleshoot operational problems, we recommend that you start by examining the event log. To view the event log, see Administration | File Management | View, and click on View Saved Log File. To configure events, and to choose the events you want to view, see Configuration | System | Events and Monitoring | Filterable Event Log.

The VPN 3002 automatically saves the event log to a file in flash memory if it crashes, and when it is rebooted. This log file is named SAVELOG.TXT, and it overwrites any existing file with that name. The SAVELOG.TXT file is useful for debugging. To view SAVELOG.TXT, see Administration | File Management | View, and click on View Saved Log File.

Crash Dump File

If the VPN 3002 crashes during operation, it saves internal system data in nonvolatile memory (NVRAM), and then automatically writes this data to a CRSHDUMP.TXT file in flash memory when it is rebooted. This file contains the crash date and time, software version, tasks, stack, registers, memory, buffers, and timers which help Cisco support engineers diagnose the problem. In case of a crash, we ask that you send this file when you contact TAC for assistance. To view the CRSHDUMP.TXT file, see Administration | File Management | View, and click on View Saved Log Crash Dump File.

Configuration Files

The VPN 3002 saves the current boot configuration file (CONFIG) and its predecessor (CONFIG.BAK) as files in flash memory. These files may be useful for troubleshooting. See Administration | File Management for information on managing files in flash memory.

LED Indicators

LED indicators on the VPN 3002 are normally green or flashing amber. LEDs that are solid amber or off may indicate an error condition.

Contact Cisco TAC if any LED indicates an error condition.

VPN 3002 Front LEDs

The LEDs on the front of the VPN 3002 are:

LED	Status	Explanation
PWR	Green	Unit is on and has power.
	Off	Unit is powered off.
SYS	Flashing amber	Unit is performing diagnostics.
	Solid amber	Unit has failed diagnostics.
	Flashing green	Unit is negotiating DHCP or PPPoE.
	Green	Unit is operational.
VPN	Off	No VPN tunnel exists.
	Amber	Tunnel has failed.
	Green	Tunnel is established.

VPN 3002 Rear LEDs

The LEDs on the rear of the VPN 3002 indicate the status of the private and public interfaces.

LED	Explanation
Green	Interface is connected to the network.
OFF	Interface is not connected to the network.
Flashing amber	Traffic is traveling across the interface.

System Errors

If you have configured the VPN 3002, and you are unable to connect to or pass data to the central-site VPN Concentrator, use Table B-1 to analyze the problem. Also, use the following section of this appendix to check the settings on the VPN Concentrator to which this VPN 3002 connects.

Table B-1: Analyzing System Errors

Problem or Symptom	Possible Solution
Tunnel is not up or not passing data.
PWR LED is off.	Make sure that the power cable is plugged into the VPN 3002 and a power outlet.
SYS LED is solid amber.	Unit has failed diagnostics. Contact Cisco Support immediately.
You see this LED display: PWR = green SYS LED = green VPN LED = off.	1. Verify that the VPN Concentrator to which this VPN 3002 connects is running version 3.0 software. 2. Navigate to Monitoring > System Status. Click on Connect Now.
Connect Now did not bring up the tunnel, and the public interface LED (rear of unit) is off.	1. Check that a LAN cable is properly attached to the public interface of the VPN 3002. 2. Make sure the IP address for the public interface is properly configured.
Public interface LED is on, but attempting to ping the default gateway (Administration > Ping) yields no response.	1. Make sure the default gateway is properly configured. 2. Contact your ISP.
VPN LED is solid amber (tunnel failed to establish to central-site VPN Concentrator).	1. Make sure the IPSec parameters are properly configured. Verify: Public IP Address of the IKE peer (central-site VPN Concentrator) is correct. Group name and password are correct. User name and password are correct. 2. Make sure the group and user names and passwords match those set for the VPN 3002 on the central-site VPN Concentrator. 3. After you make any changes, navigate to Monitoring > System Status and click on Connect Now. 4. Study the event log files. To capture more events, and to interpret events, see Chapter 9, "Events," in the VPN 3002 Hardware Client User Reference.
My PC cannot communicate with the remote network.	1. Verify that the VPN Concentrator to which this VPN 3002 connects is running version 3.0 software. 2. Navigate to Monitoring > System Status and click on Connect Now.
Connect Now worked.
LED(s) for the private interface/switch port are off.	Make sure that a LAN cable is properly attached to the private interface of the VPN 3002 and the PC.
LED(s) for the private interface/switch port are on.	1. Is this PC configured as a DHCP client? If so, verify that the DHCP server on the VPN 3002 is enabled. 2. With any method of address assignment, verify that the PC has an IP address and subnet mask.
Attempting to ping the default gateway (Administration > Ping) yields no response.	1. Make sure your PC has an appropriate IP address, reachable on this network. 2. Contact your network administrator.

Settings on the VPN Concentrator

If your VPN 3002 experiences connectivity problems, check the configuration of the VPN Concentrator.

Step 1 Configure the connection as a Client, not LAN-to-LAN.

Step 2 Assign this VPN 3002 to a group. Configure group and user names and passwords. These must match the group and user names and passwords that you set on the VPN 3002. Refer to Chapter 14, "User Management," in the VPN 3000 Series Concentrator Reference Volume I.

Step 3 If the VPN 3002 uses PAT mode, enable a method of address assignment for the VPN 3002: DHCP, address pools, per user, or client specified. Refer to Chapter 6, "Address Management," in the VPN 3000 Series Concentrator Reference Volume I.

Step 4 If you are using Network Extension mode, configure a default gateway or a static route to the private network of the VPN 3002. Refer to Chapter 8, "IP Routing," in the VPN 3000 Series Concentrator Reference Volume I.

Step 5 Check the Event log. Refer to Chapter 10, "Events," in the VPN 3000 Series Concentrator Reference Volume I.

VPN 3002 Hardware Client Manager Errors

The following sections describe errors that might occur while using the HTML-based VPN 3002 Hardware Client Manager with a browser.

Invalid Login or Session Timeout

The Manager displays the Invalid Login or Session Timeout screen (see Figure B-1).

Figure B-1: Invalid Login or Session Timeout Screen

Table B-2: Invalid Login or Session Timeout Screen

Problem	Possible Cause	Solution
You entered an invalid administrator login-name and password combination	Typing error. Invalid (unrecognized) login name or password.	Reenter the login name and password, and click on Login. Use a valid login name and password. Verify your typing before clicking on Login.
The Manager session has been idle longer than the configured timeout interval. (The default timeout interval is 600 seconds, which equals 10 minutes).	No activity has occurred for (interval) seconds. The Manager resets the inactivity time only when you click on an action button such as Apply, Add, or Cancel, or a link on a screen that invokes a different screen. Entering values or setting parameters on a given screen does not reset the timer. The timeout interval is set too low for normal use.	On the Administration \| Access Rights \| Access Settings screen, change the Session Timeout interval to a larger value and click on Apply.

Manager Logs Out

The Manager unexpectedly logs out.

Table B-3: Browser Refresh or Reload Button Logs Out the Manager.

Problem	Possible Cause	Solution
You clicked on the Refresh or Reload button on the browser navigation toolbar, and the Manager logged out. The main login screen displays.	To protect access security, clicking on Refresh or Reload on the browser toolbar automatically logs out the Manager session.	Do not use the browser navigation toolbar buttons with the VPN 3002 Hardware Client Manager. Use only the Manager Refresh button where it appears on a screen. We recommend that you hide the browser navigation toolbar to prevent mistakes.

Problem

Possible Cause

Solution

You clicked on the Refresh or Reload button on the browser navigation toolbar, and the Manager logged out. The main login screen displays.

To protect access security, clicking on Refresh or Reload on the browser toolbar automatically logs out the Manager session.

Do not use the browser navigation toolbar buttons with the VPN 3002 Hardware Client Manager.

Use only the Manager Refresh button where it appears on a screen.

We recommend that you hide the browser navigation toolbar to prevent mistakes.

Incorrect Display

The Manager displays an incorrect screen or data when you click on the browser back or forward button.

Table B-4: Browser Back or Forward Button Displays an Incorrect Screen or Incorrect Data

Problem	Possible Cause	Solution
You clicked on the Back or Forward button on the browser navigation toolbar, and the Manager displayed the wrong screen or incorrect data.	To protect security and the integrity of data entries, clicking on Back or Forward on the browser toolbar deletes pointers and values within the Manager.	Do not use the browser navigation toolbar buttons with the VPN 3002 Hardware Client Manager. Navigate using the location bar at the top of the Manager window, the table of contents in the left frame, or links on Manager screens. We recommend that you hide the browser navigation toolbar to prevent mistakes.

Problem

Possible Cause

Solution

You clicked on the Back or Forward button on the browser navigation toolbar, and the Manager displayed the wrong screen or incorrect data.

To protect security and the integrity of data entries, clicking on Back or Forward on the browser toolbar deletes pointers and values within the Manager.

Do not use the browser navigation toolbar buttons with the VPN 3002 Hardware Client Manager.

Navigate using the location bar at the top of the Manager window, the table of contents in the left frame, or links on Manager screens.

We recommend that you hide the browser navigation toolbar to prevent mistakes.

Error Message

The Manager displays a screen with the message: "Error/An error has occurred while attempting to perform the operation." An additional error message describes the erroneous operation (see Figure B-2).

Figure B-2: Error Screen

Table B-5: Error Message Displays

Problem	Possible cause	Solution
You tried to perform some operation that is not allowed.	The screen displays a message that describes the cause.	Click on Retry the operation to return to the screen where you were working and correct the mistake. Carefully check all your previous entries on that screen. The Manager attempts to retain valid entries, but invalid entries are lost. Click on Go to main menu to go to the main Manager screen.

Not Allowed Message

The Manager displays a screen with the message: "Not Allowed / You do not have sufficient authorization to access the specified page." (see Figure B-3).

Figure B-3: Not Allowed Screen

Table B-6: Not Allowed Message Displays

Problem	Possible cause	Solution
You tried to access an area of the Manager that you do not have authorization to access.	You logged in using an administrator login name that has limited privileges. You logged in from a workstation that has limited access privileges.	Log in using the system administrator login name and password. (Defaults are admin / admin.) Log in from a workstation with greater access privileges. Have the system administrator change your privileges on the Administration \| Access Rights \| Administrators screen. Have the system administrator change the privileges of your workstation on the Administration \| Access Rights \| Access Control List screen.

Not Found

The Manager displays a screen with the message: "Not Found/An error has occurred while attempting to access the specified page." The screen includes additional information that identifies system activity and parameters.

Figure B-4: Not Found Screen

Table B-7: Not Found Message Displays

Problem	Possible cause	Solution
The Manager could not find a screen.	You updated the software image and did not clear the browser's cache.	Clear the browser's cache: delete its temporary internet files, history files, and location bar references. Then try again.
	There is an internal Manager error.	Please note the system information on the screen and contact Cisco support personnel for assistance.

Microsoft Internet Explorer Script Error: No such interface supported

Microsoft Internet Explorer displays a Script Error dialog box that includes the error message: No such interface supported.

Table B-8: Microsoft Internet Explorer Script Error

Problem	Possible cause	Solution
While using a Manager function that opens another browser window (such as Save Needed, Help, Software Update, etc.), Internet Explorer cannot open the window and displays the error dialog box.	A bug in the Internet Explorer JavaScript interpreter.	1. Click on No on the error dialog box. 2. Log out of the Manager. 3. Close Internet Explorer. 4. Reinstall Internet Explorer.

Command-line Interface Errors

These errors may occur while using the menu-based command-line interface from a console or Telnet session.

Table B-9: Command-Line Interface Errors

Error	Problem	Possible Cause	Solution
ERROR:-- Bad IP Address/Subnet Mask/Wildcard Mask/Area ID	The system expected a valid 4-byte dotted decimal entry, and the entry was not in that format.	You entered something other than a 4-byte dotted decimal number. You might have omitted a byte position, or entered a number greater than 255 in a byte position. You entered 0.0.0.0 instead of an appropriate address.	At the prompt, reenter a valid 4-byte dotted decimal number.
ERROR:-- Out of Range value entered. Try again.	The system expected a number within a certain range, and the entry was outside that range.	You entered a letter instead of a number. You entered a number greater than the possible menu numbers.	At the prompt, reenter a number in the appropriate range.
ERROR:-- The Passwords do not match. Please try again.	The entry for a password and the entry to verify the password do not match.	You mistyped an entry. You entered either a password or verify entry, but not the other.	At the Verify prompt, reenter the password. If the original password is incorrect, press Enter and reenter both the password and the verification at the prompts.

Table of Contents