Check that the unit is on
Check that the unit is on
Check that the unit is on
In some of my previous posts, I’ve discussed “flash code diagnostics” and the fact that these should be used as a “guide” to finding out where the problem is located. To make these flash codes more understandable in our commercial equipment — below is an explanation of each flash code. Hopefully this will help guide you to understanding what each code means and assist you in making proper diagnostics. Remember — the flash code is not telling you want is wrong but is looking at symptoms. You still need to make the diagnostic based of the flash code.
Simplicity Fault Codes and Set up
NOTE: An LED that is not lit may be an indication that the board is not energized. This could be due to no power or a shut down circuit.
When the compressor is off in this mode, the control displays a FC2, indicating an active anti-short cycle timer
LAST ERROR – When this button is pressed and released one time within five seconds, it will flash the last five flash codes on the board’s LED. The most recent alarm will be shown first and the oldest alarm will be shown last.
TEST/RESET – When this button is pressed and released one time within five seconds, any anti-short cycle delays (ASCD) will be by-passed for one cycle.
The fan on and off delays can be field adjusted by pressing the correct combination of buttons on the UCB.
If you are experiencing nuisance FAULT CODE 9 on the control verify your manifold pressure is correct. Verify your temperature rise. Default fan OFF AND ON settings in the board are 30 SECOND ON and 60 SECONDS OFF. This can be changed by using the board buttons as described below to allow the fan to run longer at the end of a heating cycle
Hopefully this little guide will assist you when working on our products and give you the proper direction so you do not unnecessarily condemn boards.
check unit
1 check unit
2 check unit
3 helium purity check unit
4 power supply and check unit
5 unit
as a unit — 1) в сборе 2) как единая сборочная единица; как единый узел
unit under test — 1) объект контроля 2) объект диагностирования, объект технического диагностирования
6 check circuit
7 unit digit
check-sum digit — цифра контрольной суммы; контрольная цифра
augend digit — цифра первого слагаемого; цифра первого числа
addend digit — цифра второго слагаемого; цифра второго числа
high-order digit — цифра старшего разряда; старший разряд
8 check leak unit
9 check the unit for security of mounting
10 check leak unit
11 terminal unit check valve
запорный клапан терминала
Клапан, допускающий движение газа в обоих направлениях вследствие введения в него соответствующего наконечника.
[ ГОСТ Р 52423-2005]
Тематики
12 electrically controllable switchgear unit
Параллельные тексты EN-RU
Commands issued to electrically controllable switchgear units within the bay are only enabled after a check of the interlock conditions has been carried out.
[Schneider Electric]
Тематики
13 bad unit error
systematic error — постоянная ошибка; систематическая ошибка
reasonable error — допустимая ошибка; допустимая погрешность
14 parity check during punching in paper tape
15 governor control unit check
16 logic unit quick reference voltage check
17 terminal unit check valve
18 raise
горн. восстающая выработка;
to make a raise раздобыть, получить взаймы raise будить;
воскрешать;
to raise from the dead воскресить из мертвых
воздвигать (здание и т. п.)
текст. ворсовать, начесывать
горн. восстающая выработка;
to make a raise раздобыть, получить взаймы
вызывать (смех, сомнение, тревогу)
выращивать (растения) ;
разводить (птицу, скот) ;
растить, воспитывать (детей)
горн. добывать, выдавать на-гора;
to raise hell, амер. to raise a big smoke sl. поднять шум, начать буянить, скандалить
запеть, начать (песню) ;
издать (крик)
повышать (в звании, должности) ;
to raise a man to the peerage пожаловать (кому-л.) титул пэра
повышать (в звании, должности)
повышение, поднятие;
увеличение
поднимать (на защиту и т. п.)
поднимать;
to raise one’s glass to (smb.’s) health пить( за чье-л. здоровье) ;
to raise anchor сниматься с якоря
прибавка к заработной плате
собирать (налоги и т. п.) ;
to raise money добывать деньги;
to raise troops набирать войска;
to raise a unit воен. сформировать часть
ставить, поднимать (вопрос) ;
to raise a question поставить вопрос;
to raise objections выдвигать возражения;
to raise a claim предъявить претензию
ставить, поднимать (вопрос)
горн. добывать, выдавать на-гора;
to raise hell, амер. to raise a big smoke sl. поднять шум, начать буянить, скандалить to
a check амер. подделать чек;
to raise a ghost вызвать духа to
a check амер. подделать чек;
to raise a ghost вызвать духа
повышать (в звании, должности) ;
to raise a man to the peerage пожаловать (кому-л.) титул пэра
ставить, поднимать (вопрос) ;
to raise a question поставить вопрос;
to raise objections выдвигать возражения;
to raise a claim предъявить претензию
собирать (налоги и т. п.) ;
to raise money добывать деньги;
to raise troops набирать войска;
to raise a unit воен. сформировать часть
поднимать;
to raise one’s glass to (smb.’s) health пить (за чье-л. здоровье) ;
to raise anchor сниматься с якоря raise будить;
воскрешать;
to raise from the dead воскресить из мертвых
горн. добывать, выдавать на-гора;
to raise hell, амер. to raise a big smoke sl. поднять шум, начать буянить, скандалить
ставить, поднимать (вопрос) ;
to raise a question поставить вопрос;
to raise objections выдвигать возражения;
to raise a claim предъявить претензию
поднимать;
to raise one’s glass to (smb.’s) health пить (за чье-л. здоровье) ;
to raise anchor сниматься с якоря to
pastry (или dough) ставить тесто на дрожжах;
to raise the eyebrows (удивленно) поднимать брови
собирать (налоги и т. п.) ;
to raise money добывать деньги;
to raise troops набирать войска;
to raise a unit воен. сформировать часть
Troubleshooting IPSEC
This section contains tips to help you with some common challenges of IPsec VPNs.
A VPN connection has multiple stages that can be confirmed to ensure the connection is working properly. It is easiest to see if the final stage is successful first since if it is successful the other stages will be working properly. Otherwise, you will need to work back through the stages to see where the problem is located.
When a VPN connection is properly established, traffic will flow from one end to the other as if both ends were physically in the same place. If you can determine the connection is working properly then any problems are likely problems with your applications.
On some FortiGate units, such as the FortiGate 94D, you cannot ping over the IPsec tunnel without first setting a source-IP. In this scenario, you must assign an IP address to the virtual IPsec VPN interface. Anything sourced from the FortiGate going over the VPN will use this IP address.
If the egress/outgoing interface (determined by kernel route) has an IP address, then use the IP address of the egress/outgoing interface. Otherwise, use the IP address of the first interface from the interface list (that has an IP address).
The first diagnostic command worth running, in any IPsec VPN troubleshooting situation, is the following: diagnose vpn tunnel list
This command is very useful for gathering statistical data such as the number of packets encrypted versus decrypted, the number of bytes sent versus received, the SPI identifier, etc. This kind of information in the resulting output can make all the difference in determining the issue with the VPN.
Another appropriate diagnostic command worth trying is: diagnose debug flow
This command will inform you of any lack of firewall policy, lack of forwarding route, and of policy ordering issues.
Common IPsec VPN problems
The most common IPsec VPN issues are listed below. Please read thoroughly and note that, although the list is extensive, it is not exhaustive.
This section includes support for the following:
l Failed VPN connection attempts l Debug output table l The options to configure policy-based IPsec VPN are unavailable l The VPN tunnel goes down frequently l The pre-shared key does not match (PSK mismatch error) l The SA proposals do not match (SA proposal mismatch) l Pre-existing IPsec VPN tunnels need to be cleared l Other potential VPN issues
Failed VPN connection attempts
If your VPN fails to connect, check the following:
If you are still unable to connect to the VPN tunnel, run the following diagnostic command in the CLI:
The resulting output may indicate where the problem is occurring. When you are finished, disable the diagnostics by using the following command:
diagnose debug reset diagnose debug disable
View the table below for some assistance in analyzing the debug output.
Debug output table
| Problem | Debug output | Common causes | Common solutions |
| Tunnel is not coming up | Error: negotiation failure | IPsec configuration mismatch | Check phase 1 and 2 settings |
| Error: no SA proposal chosen | IPsec configuration mismatch | Check phase 1 and 2 settings | |
| FortiGate using the wrong |
VPN
aggressive mode and different
local IDs
Common IPsec VPN problems
| Problem | Debug output | Common causes | Common solutions | |||||
| Tunnel is up but traffic does not go through | Error: No matching IPsec selector, drop | Quick mode selector mismatch | Fix the quick mode selector | |||||
| NAT is enabled | Disable NAT in the firewall policy | |||||||
| Traffic is not routed to the tunnel | Route or firewall policy misconfiguration | Route-based: traffic must be routed to IPsec virtual interface Policy-based: traffic must match a firewall policy with action set to The options to configure policy-based IPsec VPN are unavailable Go to System > Feature Visibility. Select Show More and turn on Policy-based IPsec VPN. The VPN tunnel goes down frequentlyIf your VPN tunnel goes down often, check the Phase 2 settings and either increase the Keylife value or enable Autokey Keep Alive. The pre-shared key does not match (PSK mismatch error)It is possible to identify a PSK mismatch using the following combination of CLI commands: diag vpn ike log filter name This will provide you with clues as to any PSK or other proposal issues. If it is a PSK mismatch, you should see something similar to the following output: ike 0:TRX:322: PSK auth failed: probable pre-shared key mismatch ike Negotiate SA Error: The SA proposals do not match (SA proposal mismatch)The resulting output should include something similar to the following, where blue represents the remote VPN device, and green represents the local FortiGate. responder received SA_INIT msg incoming proposal: protocol = IKEv2: encapsulation = IKEv2/none type=ENCR, val=AES_CBC (key_len = 256) Common IPsec VPN problems type=INTEGR, val=AUTH_HMAC_SHA_96 type=PRF, val=PRF_HMAC_SHA type=DH_GROUP, val=1536. protocol = IKEv2: encapsulation = IKEv2/none type=ENCR, val=3DES_CBC type=INTEGR, val=AUTH_HMAC_SHA_2_256_128 type=PRF, val=PRF_HMAC_SHA2_256 type=DH_GROUP, val=1536. protocol = IKEv2: encapsulation = IKEv2/none type=ENCR, val=AES_CBC (key_len = 128) type=INTEGR, val=AUTH_HMAC_SHA_96 type=PRF, val=PRF_HMAC_SHA type=DH_GROUP, val=1536. Pre-existing IPsec VPN tunnels need to be clearedShould you need to clear an IKE gateway, use the following commands: diagnose vpn ike restart diagnose vpn ike gateway clear Other potential VPN issuesvpn tunnel list command to troubleshoot this. Troubleshooting connection issues Troubleshooting connection issuesThe following section includes troubleshooting suggestions related to: l LAN interface connection l Dialup connection l Troubleshooting VPN connections l Troubleshooting invalid ESP packets using Wireshark l Attempting hardware offloading beyond SHA1 l Check Phase 1 proposal settings l Check your routing l Try enabling XAuth LAN interface connectionTo confirm whether a VPN connection over LAN interfaces has been configured correctly, issue a ping or traceroute command on the network behind the FortiGate unit to test the connection to a computer on the remote network. If the connection is properly configured, a VPN tunnel will be established automatically when the first data packet destined for the remote network is intercepted by the FortiGate unit. If the ping or traceroute fail, it indicates a connection problem between the two ends of the tunnel. This may or may not indicate problems with the VPN tunnel. You can confirm this by going to Monitor > IPsec Monitor where you will be able to see your connection. A green arrow means the tunnel is up and currently processing traffic. A red arrow means the tunnel is not processing traffic, and this VPN connection has a problem. If the connection has problems, see Troubleshooting VPN connections on page 227. Dialup connectionA dialup VPN connection has additional steps. To confirm that a VPN between a local network and a dialup client has been configured correctly, at the dialup client, issue a ping command to test the connection to the local network. The VPN tunnel initializes when the dialup client attempts to connect. If the ping or traceroute fail, it indicates a connection problem between the two ends of the tunnel. This may or may not indicate problems with the VPN tunnel, or dialup client. As with the LAN connection, confirm the VPN tunnel is established by checking Monitor > IPsec Monitor. Troubleshooting VPN connectionsIf you have determined that your VPN connection is not working properly through Troubleshooting on page 223, the next step is to verify that you have a phase2 connection. If traffic is not passing through the FortiGate unit as you expect, ensure the traffic does not contain IPcomp packets (IP protocol 108, RFC 3173). FortiGate units do not allow IPcomp packets, they compress packet payload, preventing it from being scanned. Testing Phase 1 and 2 connections is a bit more difficult than testing the working VPN. This is because they require diagnose CLI commands. These commands are typically used by Fortinet customer support to discover more information about your FortiGate unit and its current configuration. Before you begin troubleshooting, you must: address is 10.11.101.10 and the names of the phases are Phase 1 and Phase 2 For this example, default values were used unless stated otherwise. Obtaining diagnose information for the VPN connection – CLIdiagnose vpn ike log-filter clear diagnose debug app ike 255 diagnose debug enable This makes the remote FortiGate the initiator and the local FortiGate becomes the responder. Establishing the connection in this manner means the local FortiGate will have its configuration information as well as the information the remote computer sends. Having both sets of information locally makes it easier to troubleshoot your VPN connection. diagnose debug disable Troubleshooting a Phase 1 VPN connectionUsing the output from Obtaining diagnose information for the VPN connection – CLI, search for the word proposal in the output. It may occur once indicating a successful connection, or it will occur two or more times for an unsuccessful connection — there will be one proposal listed for each end of the tunnel and each possible Troubleshooting connection issues combination in their settings. For example if 10.11.101.10 selected both Diffie-Hellman Groups 1 and 5, that would be at least 2 proposals set. A successful negotiation proposal will look similar to IPsec SA connect 26 10.12.101.10->10.11.101.10:500 config found created connection: 0x2f55860 26 10.12.101.10->10.11.101.10:500 IPsec SA connect 26 10.12.101.10->10.11.101.10:500 negotiating no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation initiator: main mode is sending 1st message… cookie 3db6afe559e3df0f/0000000000000000 out [encryption] sent IKE msg (ident-i1send): 10.12.101.10:500->10.11.101.10:500, len=264, > diaike 0: comes 10.12.101.1:500->10.11.101.1:500,ifindex=26…. Note the phrase “initiator: main mode is sending 1st message…” which shows you the handshake between the ends of the tunnel is in progress. Initiator shows the remote unit is sending the first message. Troubleshooting invalid ESP packets using WiresharkThe following section provides information to help debug an encryption key mismatch. The ESP packet invalid error is due to an encryption key mismatch after a VPN tunnel has been established. When an IPsec VPN tunnel is up, but traffic is not able to pass through the tunnel, Wireshark (or an equivalent program) can be used to determine whether there is an encryption mismatch. A mismatch could occur for many reasons, one of the most common is the instability of an ISP link (ADSL, Cable), or it could effectively be any device in the physical connection. The following information is required to troubleshoot the problem. In the following example, the error message was seen on the recipient FortiGate: date=2010-12-28 time=18:19:35 devname=Kosad_VPN device_id=FG300B3910600118 log_ type=event subtype=ipsec pri=critical vd=”root” msg=”IPsec ESP” action=”error” rem_ ip=180.87.33.2 loc_ip=121.133.8.18 rem_port=32528 loc_port=4500 out_intf=”port2″ cookies=”88d40f65d555ccaf/05464e20e4afc835″user=”N/A” group=”N/A” xauth_user=”N/A” xauth_ group=”N/A” vpn_tunnel=”fortinet_0″ status=esp_error error_num=Invalid ESP packet detected (HMAC validation failed). spi=c32b09f7 seq=00000012 This is the output of the command diag vpn tunnel list on the FortiGate: inet ver=1 serial=2 192.168.1.205:4500->121.133.8.18:4500 lgwy=dyn tun=intf mode=auto bound_if=4 proxyid_num=1 child_num=0 refcnt=7 ilast=0 olast=0 stat: rxp=41 txp=56 rxb=4920 txb=3360 dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=696 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=P2_60C_Fortinet proto=0 sa=1 ref=2 auto_negotiate=0 serial=1 src: 0:182.40.101.0/255.255.255.0:0 dst: 0:100.100.100.0/255.255.255.0:0 connection issues SA: ref=3 options=0000000d type=00 soft=0 mtu=1428 expire=1106 replaywin=0 seqno=15 life: type=01 bytes=0/0 timeout=1777/1800 dec: spi=29a26eb6 esp=3des key=24 bf25e69df90257f64c55dda4069f01834cd0382fe4866ff2 ah=sha1 key=20 38b2600170585d2dfa646caed5bc86d920aed7ff enc: spi=c32b09f7 esp=3des key=24 0abd3c70032123c3369a6f225a385d30f0b2fb1cd9687ec8 ah=sha1 key=20 214d8e717306dffceec3760464b6e8edb436c6 This is the packet capture from the FortiGate: How to verify if the original packet has been encrypted correctlyTo verify, it is necessary to decrypt the ESP packet using Wireshark. Open the packet capture that is taken from initiator FortiGate using Wireshark. Go to Edit > Preferences, expand Protocol and look for ESP. Select “Attempt to detect/decode encrypted ESP payloads“, and fill in the information for the encryption algorithm and the keys. This information can be obtained from the output of the command diag vpn tunnel list. If the packet was encrypted correctly using the correct key, then the decryption will be successful and it will be possible to see the original package as shown below: Repeat the decryption process for the packet capture from the recipient firewall. If the decryption failed using the same key, the packet may be corrupted and the interface should then be checked for CRC or packet errors. Attempting hardware offloading beyond SHA1If you are trying to off-load VPN processing to a network processing unit (NPU), remember that only SHA1 authentication is supported. For high levels of authentication such as SHA256, SHA384, and SHA512 hardware offloading is not an option—all VPN processing must be done in software—unless using an NP6 (although the NP4lite variation also supports SHA256, SHA384, and SHA512). Enable/disable IPsec ASIC-offloadingMuch like NPU-offload in IKE phase1 configuration, you can enable or disable the usage of ASIC hardware for IPsec Diffie-Hellman key exchange and IPsec ESP traffic. By default hardware offloading is used. For debugging purposes, sometimes it is best for all the traffic to be processed by software. config sys global set ipsec-asic-offload [enable | disable] end Check Phase 1 proposal settingsEnsure that both sides have at least one Phase 1 proposal in common. Otherwise they will not connect. If there are many proposals in the list, this will slow down the negotiating of Phase 1. If its too slow, the connection may timeout before completing. If this happens, try removing some of the unused proposals. NPU offloading is supported when the local gateway is a loopback interface. Check your routingIf routing is not properly configured with an entry for the remote end of the VPN tunnel, traffic will not flow properly. You may need static routes on both ends of the tunnel. If routing is the problem, the proposal will likely setup properly but no traffic will flow. Try enabling XAuthIf one end of an attempted VPN tunnel is using XAuth and the other end is not, the connection attempt will fail. The log messages for the attempted connection will not mention XAuth is the reason, but when connections are failing it is a good idea to ensure both ends have the same XAuth settings. If you do not know the other end’s settings enable or disable XAuth on your end to see if that is the problem. General troubleshooting tipsMost connection failures are due to a configuration mismatch between the FortiGate unit and the remote peer. In general, begin troubleshooting an IPsec VPN connection failure as follows: VPN troubleshooting tips
VPN server. | Check Phase 1 configuration. Depending on the Remote Gateway and Authentication Method settings, you have a choice of options to authenticate FortiGate dialup clients or VPN peers by ID or certificate name (see Phase 1 parameters on page 46). If you are configuring authentication parameters for FortiClient dialup clients, refer to the Authenticating FortiClient Dialup Clients Technical Note. | |||||
| Preshared keys do not match. | Reenter the preshared key. See Phase 1 parameters on page 46. | |||||||
| Phase 1 or Phase 2 key exchange proposals are mismatched. | Make sure that both VPN peers have at least one set of proposals in common for each phase. See Phase 1 parameters on page 46 and Phase 2 parameters on page 66. | |||||||
| NAT traversal settings are mismatched. | Select or clear both options as required. See Phase 1 parameters on page 46 and Phase 1 parameters on page 46. |
A word about NAT devices
When a device with NAT capabilities is located between two VPN peers or a VPN peer and a dialup client, that device must be NAT traversal (NAT-T) compatible for encrypted traffic to pass through the NAT device. For more information, see Phase 1 parameters on page 46.
Troubleshooting L2TP and IPsec
This section describes some checks and tools you can use to resolve issues with L2TP-over-IPsec VPNs.
This section includes:
Quick checks
The table below is a list of common L2TP over IPsec VPN problems and the possible solutions.
| Problem | What to check |
| IPsec tunnel does not come up. | Check the logs to determine whether the failure is in Phase 1 or Phase 2. Check the settings, including encapsulation setting, which must be transport-mode. Check the user password. Confirm that the user is a member of the user group assigned to L2TP. On the Windows PC, check that the IPsec service is running and has not been disabled. See Troubleshooting L2TP and IPsec on page 232. |
| Tunnel connects, but there is no communication. | Did you create an ACCEPT security policy from the public network to the protected network for the L2TP clients? See Troubleshooting L2TP and IPsec on page 232. |
Mac OS X and L2TP
FortiOS allows L2TP connections with empty AVP host names and therefore Mac OS X L2TP connections can connect to the FortiGate.
Prior to FortiOS 4.0 MR3, FortiOS refused L2TP connections with empty AVP host names in compliance with RFC 2661 and RFC 3931.
Setting up logging
L2TP logging must be enabled to record L2TP events. Alert email can be configured to report L2TP errors.
Configuring FortiGate logging for L2TP over IPsec
Viewing FortiGate logs
Using the FortiGate unit debug commands
Viewing debug output for IKE and L2TP
diagnose debug reset
Using the packet sniffer
Typical L2TP over IPsec session startup log entries – raw format
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd=”root” msg=”progress IPsec Phase 1″ action=”negotiate” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_ intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_user=”N/A” xauth_ group=”N/A” vpn_tunnel=”dialup_p1″ status=success init=remote mode=main dir=outbound stage=1 role=responder result=OK
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd=”root” msg=”progress IPsec Phase 1″ action=”negotiate” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_ intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_user=”N/A” xauth_ group=”N/A” vpn_tunnel=”dialup_p1″ status=success init=remote mode=main dir=outbound stage=2 role=responder result=OK
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd=”root” msg=”progress IPsec Phase 1″ action=”negotiate” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_ intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_user=”N/A” xauth_ group=”N/A” vpn_tunnel=”dialup_p1″ status=success init=remote mode=main dir=inbound stage=3 role=responder result=DONE
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd=”root” msg=”progress IPsec Phase 1″ action=”negotiate” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_ intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_user=”N/A” xauth_ group=”N/A” vpn_tunnel=”dialup_p1_0″ status=success init=remote mode=main dir=outbound stage=3 role=responder result=DONE
2010-01-11 16:39:58 log_id=0101037129 type=event subtype=ipsec pri=notice vd=”root” msg=”progress IPsec Phase 2″ action=”negotiate” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_ intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_user=”N/A” xauth_ group=”N/A” vpn_tunnel=”dialup_p1_0″ status=success init=remote mode=quick dir=outbound stage=1 role=responder result=OK
2010-01-11 16:39:58 log_id=0101037133 type=event subtype=ipsec pri=notice vd=”root” msg=”install IPsec SA” action=”install_sa” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_ intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_user=”N/A” xauth_ group=”N/A” vpn_tunnel=”dialup_p1_0″ role=responder in_spi=61100fe2 out_spi=bd70fca1
2010-01-11 16:39:58 log_id=0101037139 type=event subtype=ipsec pri=notice vd=”root” msg=”IPsec Phase 2 status change” action=”phase2-up” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_user=”N/A” xauth_group=”N/A” vpn_tunnel=”dialup_p1_0″ phase2_name=dialup_p2
2010-01-11 16:39:58 log_id=0101037138 type=event subtype=ipsec pri=notice vd=”root” msg=”IPsec connection status change” action=”tunnel-up” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_ user=”N/A” xauth_group=”N/A” vpn_tunnel=”dialup_p1_0″ tunnel_ip=172.20.120.151 tunnel_id=1552003005 tunnel_type=ipsec duration=0 sent=0 rcvd=0 next_stat=0 tunnel=dialup_p1_0
2010-01-11 16:39:58 log_id=0101037129 type=event subtype=ipsec pri=notice vd=”root” msg=”progress IPsec Phase 2″ action=”negotiate” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_ intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_user=”N/A” xauth_ group=”N/A” vpn_tunnel=”dialup_p1_0″ status=success init=remote mode=quick dir=inbound stage=2 role=responder result=DONE
2010-01-11 16:39:58 log_id=0101037122 type=event subtype=ipsec pri=notice vd=”root” msg=”negotiate IPsec Phase 2″ action=”negotiate” rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_ intf=”port1″ cookies=”5f6da1c0e4bbf680/d6a1009eb1dde780″ user=”N/A” group=”N/A” xauth_user=”N/A” xauth_ group=”N/A” vpn_tunnel=”dialup_p1_0″ status=success role=responder esp_transform=ESP_3DES esp_auth=HMAC_ SHA1
2010-01-11 16:39:58 log_id=0103031008 type=event subtype=ppp vd=root pri=information action=connect status=success msg=”Client 172.20.120.151 control connection started (id 805), assigned ip 192.168.0.50″
2010-01-11 16:39:58 log_id=0103029013 type=event subtype=ppp vd=root pri=notice pppd is started
2010-01-11 16:39:58 log_id=0103029002 type=event subtype=ppp vd=root pri=notice user=”user1″ local=172.20.120.141 remote=172.20.120.151 assigned=192.168.0.50 action=auth_success msg=”User ‘user1’ using l2tp with authentication protocol MSCHAP_V2, succeeded”
2010-01-11 16:39:58 log_id=0103031101 type=event subtype=ppp vd=root pri=information action=tunnel-up tunnel_id=1645784497 tunnel_type=l2tp remote_ip=172.20.120.151 tunnel_ip=192.168.0.50 user=”user1″ group=”L2TPusers” msg=”L2TP tunnel established”
Troubleshooting GRE over IPsec
This section describes some checks and tools you can use to resolve issues with the GRE-over-IPsec VPN.
Quick checks
Here is a list of common problems and what to verify.
| Problem | What to check |
| No communication with remote network. | Use the execute ping command to ping the Cisco device public interface. Use the FortiGate VPN Monitor page to see whether the IPsec tunnel is up or can be brought up. |
| IPsec tunnel does not come up. | Check the logs to determine whether the failure is in Phase 1 or Phase 2. Check that the encryption and authentication settings match those on the Cisco device. Check the encapsulation setting: tunnel-mode or transport-mode. Both devices must use the same mode. |
| Tunnel connects, but there is no communication. | Check the security policies. See Troubleshooting GRE over IPsec on page 235. Check routing. See Troubleshooting GRE over IPsec on page 235. |
Setting up logging
Configuring FortiGate logging for IPsec
Viewing FortiGate logs
GRE tunnel keepalives
In the event that each GRE tunnel endpoint has keepalive enabled, firewall policies allowing GRE are required in both directions. The policy should be configured as follows (where the IP addresses and interface names are for example purposes only):
config firewall policy edit
set srcintf “gre” set dstintf “port1” set srcaddr “1.1.1.1” set dstaddr “2.2.2.2” set action accept set schedule “always” set service “GRE”
Cisco compatible keep-alive support for GRE
The FortiGate can send a GRE keepalive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.
Configuring keepalive query – CLI:
config system gre-tunnel edit set keepalive-interval set keepalive-failtimes
GRE tunnel with multicast traffic
If you want multicast traffic to traverse the GRE tunnel, you need to configure a multicast policy as well as enable multicast forwarding.
config system settings set multicast-forward enable
Using diagnostic commands
There are some diagnostic commands that can provide useful information. When using diagnostic commands, it is best practice that you connect to the CLI using a terminal program, such as puTTY, that allows you to save output to a file. This will allow you to review the data later on at your own speed without worry about missed data as the diag output scrolls by.
Using the packet sniffer – CLI:
diag sniff packet any icmp 4
The output will show packets coming in from the GRE interface going out of the interface that connects to the protected network (LAN) and vice versa. For example:
Viewing debug output for IKE – CLI:
diagnose debug reset
Share this:
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don’t Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
— FortinetGuru YouTube Channel
— FortiSwitch Training Videos
Leave a Reply Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
unit error
1 unit error
ошибка в устройстве
—
[Л.Г.Суменко. Англо-русский словарь по информационным технологиям. М.: ГП ЦНИИС, 2003.]
Тематики
2 unit error
3 unit error
4 unit error
5 unit error
6 unit error
7 signal unit error rate monitoring
контроль коэффициента ошибок в сигнальных единицах
—
[Л.Г.Суменко. Англо-русский словарь по информационным технологиям. М.: ГП ЦНИИС, 2003.]
Тематики
8 protocol data unit error
Тематики
9 bad unit error
systematic error — постоянная ошибка; систематическая ошибка
reasonable error — допустимая ошибка; допустимая погрешность
10 bad unit error
11 bad unit error
12 Signal Unit Error Rate Monitor (SUERM)
13 bad unit error
14 bad unit error
15 error
16 error
error due to — ошибка, обусловленная (чем-л.) ; ошибка, связанная с (чем-л.)
17 error
18 error control unit
19 unit control error
погрешность регулирования (мощности) агрегата
—
[Я.Н.Лугинский, М.С.Фези-Жилинская, Ю.С.Кабиров. Англо-русский словарь по электротехнике и электроэнергетике, Москва, 1999 г.]
Тематики
20 error rate
recurrence rate — скорость повторения; частота следования
heart rate — частота пульса, частота сердечных сокращений
generation rate — скорость образования; частота генерации
См. также в других словарях:
Unit 669 — is an Airborne Rescue And Evacuation Unit ( he. יחידת החילוץ והפינוי בהיטס, Yechidat Hilu z Vehat zala Behethes ), which is the name of the Israeli Air Force elite heliborne medevac extraction unit. [cite press release |publisher = Asia Times… … Wikipedia
Error diffusion — is a type of halftoning in which the quantization residual is distributed to neighboring pixels which have not yet been processed. Its main use is to convert a multi level image into a binary image, though it has other applications.Unlike many… … Wikipedia
error — A missorted piece or unit of mail that must be rehandled within the post office before dispatch, as opposed to missent mail actually transported to another post office. (Compare with missent/misdirected mail) … Glossary of postal terms
Unit in the last place — In computer science, Unit in the Last Place or Unit of Least Precision (ULP) is the gap between two very close floating point numbers. To be exact, ulp(x) is the gap between the two floating point numbers closest to the value x.The amount of… … Wikipedia
Unit testing — In computer programming, unit testing is a method by which individual units of source code are tested to determine if they are fit for use. A unit is the smallest testable part of an application. In procedural programming a unit may be an… … Wikipedia
Error-tolerant design — An error tolerant design is one that does not unduly penalize user errors. It is the human equivalent of fault tolerant design that allows equipment to continue functioning in the presence of hardware faults, such as a limp in mode for an… … Wikipedia
Error Correction Code — code that checks identifies and corrects data errors in a computer (by joining it to each unit of data that is stored in memory and checking the data again on repeat reads), ECC … English contemporary dictionary
Output display data unit — In the Computer Science world, a byte is the unit of the information which is based on the binary system (base 2 unlike decimal system which has base 10). A byte consists of 8 bits (binary digits) and is considered to be the smallest measurable… … Wikipedia
Medical error — A medical error may be defined as a preventable adverse effect of care, whether or not it is evident or harmful to the patient. This might include an inaccurate or incomplete diagnosis or treatment of a disease, injury, syndrome, behavior,… … Wikipedia
Margin of Error (The Wire) — Margin of Error The Wire episode Episode no. Season 4 Episode 6 … Wikipedia
How To Use Systemctl to Manage Systemd Services and Units
Introduction
systemd is an init system and system manager that has widely become the new standard for Linux distributions. Due to its heavy adoption, familiarizing yourself with systemd is well worth the trouble, as it will make administering servers considerably easier. Learning about and using the tools and daemons that comprise systemd will help you better appreciate the power, flexibility, and capabilities it provides, or at least help you to do your job with less hassle.
In this guide, we will be discussing the systemctl command, which is the central management tool for controlling the init system. We will cover how to manage services, check statuses, change system states, and work with the configuration files.
Please note that although systemd has become the default init system for many Linux distributions, it isn’t implemented universally across all distros. As you go through this tutorial, if your terminal outputs the error bash: systemctl is not installed then it is likely that your machine has a different init system installed.
Service Management
The fundamental purpose of an init system is to initialize the components that must be started after the Linux kernel is booted (traditionally known as “userland” components). The init system is also used to manage services and daemons for the server at any point while the system is running. With that in mind, we will start with some basic service management operations.
Starting and Stopping Services
To start a systemd service, executing instructions in the service’s unit file, use the start command. If you are running as a non-root user, you will have to use sudo since this will affect the state of the operating system:
As we mentioned above, systemd knows to look for *.service files for service management commands, so the command could be typed like this:
To stop a currently running service, you can use the stop command instead:
Restarting and Reloading
To restart a running service, you can use the restart command:
If the application in question is able to reload its configuration files (without restarting), you can issue the reload command to initiate that process:
If you are unsure whether the service has the functionality to reload its configuration, you can issue the reload-or-restart command. This will reload the configuration in-place if available. Otherwise, it will restart the service so the new configuration is picked up:
Enabling and Disabling Services
The above commands are useful for starting or stopping services during the current session. To tell systemd to start services automatically at boot, you must enable them.
To start a service at boot, use the enable command:
To disable the service from starting automatically, you can type:
This will remove the symbolic link that indicated that the service should be started automatically.
Keep in mind that enabling a service does not start it in the current session. If you wish to start the service and also enable it at boot, you will have to issue both the start and enable commands.
Checking the Status of Services
To check the status of a service on your system, you can use the status command:
This will provide you with the service state, the cgroup hierarchy, and the first few log lines.
For instance, when checking the status of an Nginx server, you may see output like this:
This gives you a nice overview of the current status of the application, notifying you of any problems and any actions that may be required.
There are also methods for checking for specific states. For instance, to check to see if a unit is currently active (running), you can use the is-active command:
To see if the unit is enabled, you can use the is-enabled command:
This will output whether the service is enabled or disabled and will again set the exit code to “0” or “1” depending on the answer to the command question.
A third check is whether the unit is in a failed state. This indicates that there was a problem starting the unit in question:
System State Overview
The commands so far have been useful for managing single services, but they are not very helpful for exploring the current state of the system. There are a number of systemctl commands that provide this information.
Listing Current Units
To see a list of all of the active units that systemd knows about, we can use the list-units command:
This will show you a list of all of the units that systemd currently has active on the system. The output will look something like this:
The output has the following columns:
Since the list-units command shows only active units by default, all of the entries above will show loaded in the LOAD column and active in the ACTIVE column. This display is actually the default behavior of systemctl when called without additional commands, so you will see the same thing if you call systemctl with no arguments:
This will show any unit that systemd loaded or attempted to load, regardless of its current state on the system. Some units become inactive after running, and some units that systemd attempted to load may have not been found on disk.
Listing All Unit Files
The list-units command only displays units that systemd has attempted to parse and load into memory. Since systemd will only read units that it thinks it needs, this will not necessarily include all of the available units on the system. To see every available unit file within the systemd paths, including those that systemd has not attempted to load, you can use the list-unit-files command instead:
Units are representations of resources that systemd knows about. Since systemd has not necessarily read all of the unit definitions in this view, it only presents information about the files themselves. The output has two columns: the unit file and the state.
We will cover what masked means momentarily.
Unit Management
So far, we have been working with services and displaying information about the unit and unit files that systemd knows about. However, we can find out more specific information about units using some additional commands.
Displaying a Unit File
To display the unit file that systemd has loaded into its system, you can use the cat command (this was added in systemd version 209). For instance, to see the unit file of the atd scheduling daemon, we could type:
The output is the unit file as known to the currently running systemd process. This can be important if you have modified unit files recently or if you are overriding certain options in a unit file fragment (we will cover this later).
Displaying Dependencies
To see a unit’s dependency tree, you can use the list-dependencies command:
This will display a hierarchy mapping the dependencies that must be dealt with in order to start the unit in question. Dependencies, in this context, include those units that are either required by or wanted by the units above it.
Checking Unit Properties
To see the low-level properties of a unit, you can use the show command. This will display a list of properties that are set for the specified unit using a key=value format:
Masking and Unmasking Units
This will prevent the Nginx service from being started, automatically or manually, for as long as it is masked.
If you attempt to start the service, you will see a message like this:
To unmask a unit, making it available for use again, use the unmask command:
This will return the unit to its previous state, allowing it to be started or enabled.
Editing Unit Files
While the specific format for unit files is outside of the scope of this tutorial, systemctl provides built-in mechanisms for editing and modifying unit files if you need to make adjustments. This functionality was added in systemd version 218.
The edit command, by default, will open a unit file snippet for the unit in question:
To remove a full modified unit file, we would type:
After deleting the file or directory, you should reload the systemd process so that it no longer attempts to reference these files and reverts back to using the system copies. You can do this by typing:
Adjusting the System State (Runlevel) with Targets
This can be used in order to bring the system to certain states, much like other init systems use runlevels. They are used as a reference for when certain functions are available, allowing you to specify the desired state instead of the individual units needed to produce that state.
Getting and Setting the Default Target
The systemd process has a default target that it uses when booting the system. Satisfying the cascade of dependencies from that single target will bring the system into the desired state. To find the default target for your system, type:
Listing Available Targets
You can get a list of the available targets on your system by typing:
Unlike runlevels, multiple targets can be active at one time. An active target indicates that systemd has attempted to start all of the units tied to the target and has not tried to tear them down again. To see all of the active targets, type:
Isolating Targets
You may wish to take a look at the dependencies of the target you are isolating before performing this procedure to ensure that you are not stopping vital services:
When you are satisfied with the units that will be kept alive, you can isolate the target by typing:
Using Shortcuts for Important Events
There are targets defined for important events like powering off or rebooting. However, systemctl also has some shortcuts that add a bit of additional functionality.
For instance, to put the system into rescue (single-user) mode, you can use the rescue command instead of isolate rescue.target :
This will provide the additional functionality of alerting all logged in users about the event.
To halt the system, you can use the halt command:
To initiate a full shutdown, you can use the poweroff command:
A restart can be started with the reboot command:
For example, to reboot the system, you can usually type:
Conclusion
By now, you should be familiar with some of the basic capabilities of the systemctl command that allow you to interact with and control your systemd instance. The systemctl utility will be your main point of interaction for service and system state management.
While systemctl operates mainly with the core systemd process, there are other components to the systemd ecosystem that are controlled by other utilities. Other capabilities, like log management and user sessions are handled by separate daemons and management utilities ( journald / journalctl and logind / loginctl respectively). Taking time to become familiar with these other tools and daemons will make management an easier task.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.