CHAPTER II: THE PALESTINIAN BUSINESS CONTEXT
2.6. Business environment for entrepreneurship
This section provides information required to troubleshoot specific transmission security faults.
The information includes fault descriptions, background information, possible causes, fault handling method and procedure, and typical cases.
Troubleshooting Guide 13 Troubleshooting Transmission Security Faults
13.1 Definitions of Transmission Security Faults
A transmission security fault occurs when an IPSec tunnel between an eNodeB and a security gateway (SeGW) malfunctions. This fault leads to abnormal communication between the eNodeB and the EPC.
Transmission security faults include:
l Internet key exchange (IKE) negotiation failure: An IKE security association (SA) fails to be set up between the eNodeB and the SeGW.
l IPSec tunnel setup failure: The IKE SA between the eNodeB and the SeGW is normal, but the IPSec SA carried by the IKE SA fails to be set up.
l Certificate application failure: A digital certificate fails to be obtained due to an IKE negotiation failure.
13.2 Background Information
This section describes the data that requires encryption in transmission security networking scenarios. In addition, this section provides the parameters related to transmission security.
l Encapsulation between two eNodeBs: Data streams between two eNodeBs are encapsulated in transport mode.
l Encapsulation between an eNodeB and an SeGW: Data streams (except those between the SeGW and the EPC) are encapsulated in tunnel mode.
l Encapsulation between an eNodeB and the EPC: Data streams over the S1 interface are encapsulated in transport mode.
Figure 13-1 Transmission security networking
Troubleshooting Guide 13 Troubleshooting Transmission Security Faults
Transmission security faults occur in most cases where security link negotiation between the eNodeB and the security gateway fails. Parameters affecting the negotiation include IKE parameters and IPSec parameters. IKE parameters include the ciphering algorithm, verification algorithm, IKE version, identity authentication mode, and shared key. IPSec parameters include the ciphering mode, ciphering algorithm, authentication algorithm, and authorization mode. For details, see eRAN Transmission Security Feature Parameter Description.
13.3 Troubleshooting Specific Transmission Security Faults
This section provides information required to troubleshoot specific transmission security faults.
The information includes fault descriptions, background information, possible causes, fault handling method and procedure, and typical cases.
Fault Description
When a transmission security fault occurs:
l The eNodeB is out of control, and all operation commands cannot be delivered from the M2000 to the eNodeB.
l The eNodeB is under control, but transmission-related alarms are displayed on the Web LMT.
l Transmission detection commands such as ping cannot be successfully executed.
Background Information
l Related Alarms
– ALM-26841 Certificate Invalid – ALM-25891 IKE Negotiation Failure – ALM-25880 Ethernet Link Fault
– ALM-26223 Transmission Optical Interface Performance Degraded – ALM-26222 Transmission Optical Interface Error
– ALM-26220 Transmission Optical Module Fault – ALM-25901 Remote Maintenance Link Failure – ALM-25888 SCTP Link Fault
Possible Causes
Possible causes are:
l Transmission security parameters are mismatched between the local and peer ends, which leads to IPSec tunnel negotiation failures.
l Security tunnel update fails due to certificate update failures or certificate expiry.
Troubleshooting Flowchart
Transmission security faults are generally due to data configuration. Therefore, data consistency check between the eNodeB and the SeGW is crucial to troubleshooting.
Troubleshooting Guide 13 Troubleshooting Transmission Security Faults
Figure 13-2 Troubleshooting flowchart for transmission security faults
Troubleshooting Procedure
1. Check whether an IPSec policy group is bound to the port involved.
Run the LST IPSECBIND command. The output is as follows:
Troubleshooting Guide 13 Troubleshooting Transmission Security Faults
Figure 13-3 List binding relationships
If no binding relationship is found, bind an IPSec policy group to the port. Run the ADD IPSECBIND command, and specify values for the mandatory parameters such as the slot No., subboard type, port type, port No., and IPSec policy group name. To learn about the IPSec policy group name, run the LST IPSECPOLICY command.
2. Check whether the IKE proposal is correctly configured.
Run the DSP IKEPROPOSAL command for query. If the values in the red frame are inconsistent with the network plan, run the MOD IKEPROPOSAL command to change them.
Figure 13-4 List IKE negotiation results
3. Check whether the IKE peer is correctly configured.
Run the DSP IKEPEER command for query. If the values in the red frame are inconsistent with the network plan, run the MOD IKEPEER command to change them.
Troubleshooting Guide 13 Troubleshooting Transmission Security Faults
Figure 13-5 List IKE peer information
4. Check whether the IKE proposal configuration on the eNodeB is the same as that on the SeGW.
Run the LST IKEPROPOSAL command to check whether the IKE proposal with the ID indicated in 3 is consistent with the that used by the SeGW. Pay more attention to the encryption algorithm, authentication algorithm, IKE version, and key. If the authentication is based on digital certificates, go to 5. If the authentication is based on shared keys, go to 6.
5. Check whether the eNodeB's certificate chain is correct.
Run the DSP TRUSTCERT command to check the operator's root certificate. Pay more attention to the information in the red frame. Check whether the name of the root certificate is correct and whether the root certificate has expired. If the root certificate is incorrect, apply for a new one. Then, run the DLD CERTFILE command to download the root certificate, and run the ADD TRUSTCERT command to add the root certificate to the eNodeB.
Figure 13-6 List operator's root certificate information
Run the DSP CERTMK command check the operator's device certificate. Pay more attention to the information in the red frame. Check whether the issuer of the root certificate is correct and whether the root certificate has expired. If the device certificate is incorrect, apply for a new one. Then, run the DLD CERTFILE command to download the device certificate, and run the ADD CERTMK command to add the device certificate to the eNodeB.
Troubleshooting Guide 13 Troubleshooting Transmission Security Faults
Figure 13-7 List operator's device certificate information
Run the DSP APPCERT command to check whether the certificates used for IKE and SSL are correct. Pay more attention to the information in the red frame. If a used certificate is incorrect, run the MOD APPCERT command to change it.
Figure 13-8 List certificates used for IKE and SSL
6. Check whether the IPSec proposal is correctly configured.
Run the DSP IPSECPROPOSAL command for query. If the values in the red frame are inconsistent with the network plan, run the MOD IPSECPROPOSAL command to change them.
Figure 13-9 List IPSec proposal information
7. Check whether the IPSec policy is correctly configured.
Run the DSP IPSECPOLICY command for query. If the values in the red frame are inconsistent with the network plan, run the MOD IPSECPOLICY command to change them.
Troubleshooting Guide 13 Troubleshooting Transmission Security Faults
Figure 13-10 List IPSec policy information
8. Check whether the ACL rule is correctly configured.
Run the LST ACLRULE command for query. The following figure provides an example.
If the values in the red frame are inconsistent with the network plan, run the MOD ACLRULE command to change them.
Figure 13-11 List ACL rule information
9. If the transmission security fault persists, contact Huawei technical support.
Before contacting Huawei technical support, collect configuration files, certificate files (including the root certificate, intermediate certificate, device certificate files), and board logs.
Troubleshooting Guide 13 Troubleshooting Transmission Security Faults
If possible, collect header information transmitted between the eNodeB and the SeGW during negotiation.
Typical Cases
The following describes how to troubleshoot an IKE negotiation failure.
Fault Description
An IPSec policy group was bound to a port, but an IPSec tunnel failed to be set up between the eNodeB and the SeGW.
Fault Diagnosis
1. OM personnel checked whether the IPSec-related parameters were correctly configured.
The output of the DSP IKESA command indicated that the IKE SA status in phase 1 was Ready or Ready|StayAlive, but the status in phase 2 was None. IPSec-related parameter settings were checked and were found to be the same as those on the SeGW.
2. OM personnel checked header information.
There were four IKE_AUTH exchanges between the eNodeB and the SeGW. After that, the SeGW did not respond to the IKE_AUTH message from the eNodeB. When an eNodeB has not received any responses from an SeGW for a long time, the eNodeB will continue to send six IKE_AUTH messages before staring the next round of authentication
negotiation.
3. OM personnel checked the IKE_AUTH messages sent from the SeGW to the eNodeB.
The notification payload in the messages was NO_PROPOSAL_CHOSEN. This indicated that the SeGW failed to obtain the required IPSec proposal and therefore this round of IKE authentication negotiation failed. The SeGW sent these messages to notify the eNodeB of this failure.
NOTE
The eNodeB considered the encrypted notification messages invalid and therefore discarded these messages.
Fault Handling
This fault was due to the configuration on the peer equipment. After the message transmission rule on the peer equipment was modified, the fault was rectified.
Troubleshooting Guide 13 Troubleshooting Transmission Security Faults
14 Troubleshooting RF Unit Faults
About This Chapter
This chapter describes the method and procedure for troubleshooting radio frequency (RF) unit faults in the Long Term Evolution (LTE) system.