Black Box ET0010A User Manual
ETPM and ETKMS Troubleshooting
248
EncrypTight User Guide
To fix these issues, redeploy your policies from ETPM to make sure that your PEPs have current policies
and keys.
and keys.
Cannot Add a Network Set to a Policy
Non-contiguous subnet masks are supported on ETEP PEPs version 1.4 and later. When you use non-
contiguous network masks, the network set must include a PEP that supports the feature. In addition, all
network sets in a policy must include supporting PEPs. ETPM prevents you from dragging non-
supporting elements into a network set or policy when non-contiguous networks masks are in use.
contiguous network masks, the network set must include a PEP that supports the feature. In addition, all
network sets in a policy must include supporting PEPs. ETPM prevents you from dragging non-
supporting elements into a network set or policy when non-contiguous networks masks are in use.
Packet Fragments are Discarded in Point-to-Point Port-based Policies
Packet fragments are incorrectly discarded in point-to-point port-based policies when packets exceed the
PMTU and are therefore fragmented and reassembled. This occurs only when the ETEP Encryption
Policy Setting is configured as Layer 3:IP (ETEMS Features tab), and any of the following conditions are
met:
PMTU and are therefore fragmented and reassembled. This occurs only when the ETEP Encryption
Policy Setting is configured as Layer 3:IP (ETEMS Features tab), and any of the following conditions are
met:
●
When the ETPM policy type is Bypass, the ETEP discards packet fragments in Layer 3 and Layer 4
policies.
policies.
●
When the ETPM policy type is IPSec, the ETEP discards Layer 3 packet fragments.
●
When the ETPM policy type is IPSec, the ETEP discards Layer 4 packet fragments when the
Reassembly mode is set to Gateway.
Reassembly mode is set to Gateway.
Workarounds:
●
Create a point-to-point policy that is not port-based. In the ETPM policy editor, select “Any port” as
the Source Port and Destination Port in the Network Set Point A and Network Set Point B areas.
the Source Port and Destination Port in the Network Set Point A and Network Set Point B areas.
●
If you require a port-based policy, increase the PMTU on the ETEPs to avoid packet fragmentation.
Solving Network Connectivity Problems
If traffic is not being passed and it is not due to policy priority errors, you might have problems with
network connectivity, which can prevent new keys from being distributed to the PEPs before the old keys
expire.
network connectivity, which can prevent new keys from being distributed to the PEPs before the old keys
expire.
To avoid this, for each of your primary policies, create a secondary policy that targets the same traffic
and set the Renew keys/Refresh lifetime to zero (0). The zero value assures that the keys never expire.
Assign this policy a lower priority than the primary policy. If the keys for the primary policy on the PEP
expire before new keys arrive, the secondary policy takes affect. Traffic continues to flow and stays
secure until the connectivity issues are resolved and the PEPs receive new keys for the primary policy.
and set the Renew keys/Refresh lifetime to zero (0). The zero value assures that the keys never expire.
Assign this policy a lower priority than the primary policy. If the keys for the primary policy on the PEP
expire before new keys arrive, the secondary policy takes affect. Traffic continues to flow and stays
secure until the connectivity issues are resolved and the PEPs receive new keys for the primary policy.
When you have a connectivity problem, start ETPM and click Refresh Status
.
If the status shown in
the Policy View returns a indicator, the interruption may have been temporary. In this case, you can
re-establish the keys by clicking Renew Keys
re-establish the keys by clicking Renew Keys
from the ETPM.
When you have a network connectivity problem and a PEP status indicator returns an error, you can
locate the affected communication link by checking log files.
locate the affected communication link by checking log files.