Note: For correct evaluation of error messages for VPN connections, at least
LCOS version 3.22 must be installed on both LANCOM devices.
A VPN connection is always either an outgoing or an incoming connection. To make searching for the error faster and more efficient, the error messages are different for the initiator and the responder. The initiator is the remote device which initiates the connection. The responder is the device which receives the connection. After the error message is read out, look in the appropriate menu item on the corresponding remote.
Example:
For the error message 'IKE or IPSec establishment timeout (Initiator)', no direct error can be determined. The responder, however, has determined an error like 'No proposal matched (Responder, IPSec)', which it send to an SNMP client (LANmonitor) using an SNMP trap. Using this error message, the corresponding parameter in the configuration can be checked and changed if necessary. Thus is it always necessary to verify the error messages on both sides.
| Message | Initiator | Responder | |
|---|---|---|---|
| License exceeded - no more VPN tunnels available (Responder, IKE) | x | x | The maximum number of possible VPN channels has been reached. |
| No route to remote gateway | x | x | The router to the remote gateway could not be found. Please check the public IP address or the DynDNS name of the remote device. |
| Dynamic VPN - no PPP table entry matched | x | In dynamic VPN, the outgoing call could not be authenticated with the PPP data sent. Please check the PPP username and PPP password on both sides under "Configure --> Communication --> Protocols --> PPP list --> Remote site". | |
| Dynamic VPN - no PPP table entry matched | x | The incoming call cannot be authenticated with the PPP data received. Please check the PPP username and PPP password on both sides under "Configure --> Communication --> Protocols --> PPP list --> Remote site". | |
| IKE or IPSec establishment timeout | x | x | A time limit was reached. The router on the remote side is no longer responding. Please check the VPN error message in the LANmonitor on the remote device. |
| Line polling to remote gateway failed | The LCP polling failed. Please check on the remote device whether ping blocking is enabled in the firewall menu under "Configure --> Firewall --> General --> Ping blocking" | ||
| No entry in polling table and keep alive in configured | The holding time of the VPN tunnel under "Configure --> VPN --> Connection list --> Names" is set to Short hold (9999 sec.). However, the required ICMP polling is missing. Please add them under "Configure --> Communication --> Remote Sites --> Polling Table". As remote site, enter the VPN remote device, for the IP address enter an IP address from the LAN at the remote site. | ||
| Dynamic VPN - predefined charge limit exceeded | x | The fee limit under "Configure --> Costs --> Fees - Limit (ISDN)" was reached. Please reboot the device. | |
| Dynamic VPN - preset time limit exceeded | x | The time limit under "Configure --> Costs --> Time limit (ISDN)" was reached. Please reboot the device. | |
| Dynamic VPN - no ISDN call number for negotiator channel | x | The ISDN call number for the remote device for dynamic VPN is missing. Please enter the call number under "Configure --> Communication --> Remote sites --> Name list (ISDN) --> Name". | |
| Dynamic VPN - Multiple connections on ISDN interface for negotiator channel not allowed | While establishing multiple ISDN connections, a limit was reached. Please check under "Configure --> Management --> Interfaces --> Interface Settings --> ISDN --> Max. outgoing calls". | ||
| Predefined charging limit exceeded | x | The fee limit under "Configure --> Management --> Costs --> Charge limit (ISDN)" was reached. Indicated by a synchronized blinking of the Power LED. | |
| Predefined time limit exceeded | x | The time limit under "Configure --> Management --> Costs --> Time Limit (ISDN)" was reached. Indicated by a synchronized blinking of the Power LED. | |
| No IP address for PPTP server | x | The IP address of the PPTP selected has not been entered. Enter the IP address under "Configure --> Communication --> Protocols --> PPTP list". Also see . | |
| Exchange type mismatch (Main or Aggressive mode) | x (IKE) | The exchange type does not match that of the remote device. Please check the value under "Configure --> VPN --> Connection list --> Edit VPN remote site entry --> IKE Exchange" | |
| No proposal matched | x (IKE) | The IKE proposals do not match. -- > Check VPN rules | |
| No proposal matched | x (IKE) | The IKE proposals do not match. -- > Check VPN rules | |
| IKE group mismatch | x (IKE) | Please check the IKE groups on both sides under "Configure --> VPN --> Connection parameters --> VPN remote site identification --> IKE Group" | |
| Life type unsupported (other than Kbytes or seconds?) | x (IKE) | The value for the lifetime is not supported. Please use a life type in "sec = seconds" or "kb = kilobytes". Check this entry under "Configure --> VPN --> Parameters --> Lifetime" | |
| Lifetime mismatched | x (IKE) | The lifetime specified does not match that of the remote device. Check this entry under "Configure --> VPN --> Parameters --> Lifetime" | |
| ID type value unsupported (other than IP network, domain, or email) | x (IKE) | False entry of identity. Please correct your entry under "Configure --> VPN --> IKE --> IKE key" | |
| ID type mismatch (e.g. IP network, domain, or email) | x (IKE) | The two sites are using different identities. Compare the identification at both sites under "Configure --> VPN --> IKE --> IKE key" | |
| No rule matched ID - unknown connection or wrong ID (e.g. remote gateway definition) | x (IKE) | The incoming VPN connection could not be assigned to a remote device. | |
| IKE key mismatch | x (IKE) | Please compare the preshared keys under "Configure --> VPN --> IKE --> IKE key" | |
| IKE key mismatch | x (IKE) | Please compare the preshared keys under "Configure --> VPN --> IKE --> IKE key" | |
| Out of memory | x (IKE) | The number of VPN connections has overloaded the device's memory. To maintain the stability of the device, no further VPN connections should be established. | |
| Out of memory | x (IKE) | The number of VPN connections has overloaded the device's memory. To maintain the stability of the device, no further VPN connections should be established. | |
| No rule matched IDs - unknown connection or wrong ID (e.g. IP network definition) | x (IKE) | The incoming VPN connection could not be assigned to a remote device. Please check the following parameters: ID type does not match (see this document), incorrect network definition, VPN rules do not match (see VPN RULES). | |
| No proposal matched | x (IPsec) | x (IPsec) | The devices cannot agree on a matching proposal. Please check the settings under "Configure --> VPN --> IKE --> IKE Proposals" and under "Configure --> VPN --> IPSec parameters --> IPSec proposal lists". |
| IPSec PFS group mismatch | Please check the PFS (Perfect Forward Sequence) under "Configure --> VPN --> Connection parameters --> VPN remote identification --> PFS Group" |