Академический Документы
Профессиональный Документы
Культура Документы
November 2006
This document contains information proprietary to Gilat Satellite Networks Ltd. and may not be
reproduced in whole or in part without the express written consent of Gilat Satellite Networks Ltd. The
disclosure by Gilat Satellite Networks Ltd. of information contained herein does not constitute any
license or authorization to use or disclose the information, ideas or concepts presented. The contents of
this document are subject to change without prior notice.
SkyEdge VPN Configuration and Management
Contents
2. Introduction....................................................................................................................2
2.1 General Overview of the IPSec Framework .............................................................2
2.2 SkyEdge VPN System Components.........................................................................3
2.2.1 SkyEdge VPN Network Topology ..................................................................4
2.2.2 Inbound Data Path ........................................................................................4
2.2.3 Outbound Data Path......................................................................................6
2.2.4 VPN Acceleration Device (VPNA)..................................................................7
2.3 SkyEdge VPN Main Features ..................................................................................8
2.3.1 VPN Authentication Method ..........................................................................9
2.3.2 VPN Management and Control ......................................................................9
2.3.3 VPNA Redundancy .......................................................................................9
2.3.4 VPNA Switchover Criteria ...........................................................................10
2.3.5 System Availability and Installation .............................................................10
2.4 SkyEdge VPN Sample Setup and IP Addresses ....................................................10
2.4.1 VPN Network IP Scheme ............................................................................11
2.5 VPNA SNMP Support ............................................................................................12
7. VPNA Monitoring..........................................................................................................85
7.1 VPNA SkyManage Telemetries..............................................................................85
7.1.1 VPNA Status ...............................................................................................85
7.1.2 VPNA Info ...................................................................................................86
7.1.3 VPNA CPU Usage Telemetry ......................................................................87
7.1.4 VPNA Active Backbone Links Telemetry .....................................................89
7.2 VPNA Console Commands ....................................................................................92
7.2.1 VERSION....................................................................................................93
7.2.2 BB LINKS....................................................................................................94
7.2.3 CPU Utilization............................................................................................96
7.2.4 IP RTDMP...................................................................................................97
7.2.5 ROUTE PRINT ..........................................................................................100
7.2.6 OB STAT ..................................................................................................101
7.2.7 IB STAT ....................................................................................................103
7.2.8 VIEW Configuration...................................................................................105
7.3 NAT Commands ..................................................................................................106
7.3.1 IP NAT LNK ..............................................................................................106
7.3.2 NAT CFG ..................................................................................................106
7.3.3 NAT DFG ..................................................................................................106
7.3.4 NAT HLIST................................................................................................106
11. Appendix B - Switching to the VPNA Manual Boot Mode via the Web ....................118
12. Appendix C – Selecting Automatic Flash Boot Mode from the VPNA Console ......120
This document describes the SkyEdge VPN solution. This document consists of the
following main sections:
Configuring VPNA via the Web Interface – Explains how to use the VPNA Web
interface (SkyManage).
VPNA Monitoring – Lists the main VPNA Web and CLI commands that enable
monitoring the VPNA operation.
NOTE
The procedures described in this document are applicable to SkyEdge
versions 4.X and VPNA version 02.00.01.00.
NOTE
This document does not describe the VPNA upgrade procedures.
2. Introduction
The SkyEdge VPN feature enables remote sites to use the Internet or any public
network to obtain secure access to an organization’s central site or to a business
partner network.
This document explains how to configure embedded VPN VSATs and the VPN
Acceleration (VPNA) server. It also contains a configuration example for a 3rd party
VPN server (VPNS) that is not managed by Gilat or the NMS.
The VPN solutions described in this document use security protocols that comply
with IPSec standards.
NOTE
To support VPN operations, the SkyEdge NMS system must have the
relevant software licenses. For more information, see
Section 4.1 Activating VSAT Software Licensing.
Integrity – The ability to verify and validate that data sent through the tunnel
was not altered in any way
Non-repudiation – The ability to prove that specific information was sent by the
other side
A VPN Acceleration device (VPNA) that resides in each Remote Data center that
requires VPN connection service. The VPNA server does not reside at the
SkyEdge hub and is not controlled by the SkyEdge NMS.
A 3rd party VPN Gateway (VPNS) that resides in each Remote Data center that
requires VPN connection service. This component is not under Gilat control. The
following options are supported:
− Cisco Router with compatible IOS, PIX Firewall version 6.3 or later, and
Concentrator 3000
− CheckPoint Firewall-1 and VPN-1 package (NG R55 or later)
− Netscreen NS family
− Nortel
− Linksys product line
NOTE
The VPN server (VPNS) is not under Gilat control and must be
configured and managed in accordance with the instructions of its
manufacturer.
The VPNS Server is always defined as the default gateway of the
Destination PC. This way the basic configuration of the customer’s
network is not affected by the SkyEdge VPN feature and the Destination
PC does not have to be dedicated to the VPN implementation.
NOTE
The Allot QoS device is configured to prioritize the VPN encrypted traffic
over the other traffic.
In the shared hub environment, an additional Allot QoS device (total of
two Allot QoS devices) must be installed at the hub.
This section provides a brief description of the Inbound Data path in a typical
SkyEdge-VPN system:
The PC connected to the VSAT (Source PC) generates an IP Packet and sends it
to the VSAT. The source of the packet is the Source PC and the destination is the
Remote Data Server located at the Customer’s site.
The VSAT receives the IP Packet and sends an Acknowledgement message to the
PC.
The VSAT uses Gilat proprietary protocols (adds the Backbone headers to the IP
packet) and applies TCP spoofing techniques for acceleration purposes.
The VSAT applies VPN (IP-Sec) Encryption on the packet and sends it to the
DPS over the Inbound. The source of the packet is changed to the VSAT IP
address and the destination is changed to the VPNS.
The DPS receives the packet and routes it to its destination – VPNS. The DPS
does not handle the packet, it just routes it to the VPNS. The source of the packet
is the VSAT IP address and the destination is the VPNS.
The VPNS receives the packet, strips it of the VPN IP Sec encryption layer and
sends the packet to the VPNA. The source of the packet is the VSAT IP address
and the destination is changed to the VPNA server.
NOTE
In a SkyEdge VPN network, it is possible to implement NAT at the VPN
server.
The VPNA removes the Backbone headers and handles the TCP spoofing. The
source of the packet is changed to the Source PC and the destination is changed
to the Remote Data Server.
The VPNA delivers the original source IP packet to the Remote Data Server at
the Customer’s Data Center.
The VPNA removes the Backbone headers and handles the TCP spoofing. Then,
using NAT configuration, the Source IP address of the packet (PC connected to
the VSAT) is replaced with the predefined and pre-allocated local IP address.
The VPNA delivers the IP packet (from the new local IP address) to the Remote
Data Server at the Customer’s Data Center site.
NOTE
The use of NAT in a SkyEdge VPN network is not mandatory. The
decision on whether to use NAT is based on the nature of applications
and system architecture.
If NAT is not used, permanent routing entries or the default gateway must
be defined at the Destination PC as to ensure that the packets returning
to the VSATs are sent first to the VPNA and not to the VPNS.
VPNS is defined as the default gateway of the Destination PC.
This section provides a brief description of the Outbound Data path in a typical
SkyEdge-VPN system:
The Remote Data Server at the Data Center (Destination PC) generates an IP
packet and sends it to the VPNA. The source of the packet is the Remote Data
Server and the destination is the PC connected to the VSAT.
Because of routing configuration, the packet is first sent to the VPNA for
processing.
The VPNA applies Gilat proprietary protocols (adds the Backbone headers and
handles the TCP spoofing). The source of the packet is changed to the VPNA
server and the destination is changed to the VSAT.
The VPNS applies the VPN (IP Sec) Encryption on the packet and sends to it to
the DPS. The source of the packet is changed to the VPNS and the destination is
the VSAT.
The DPS receives the packet and forwards it to the VSAT over the Outbound.
The VSAT receives the packet, strips it of the VPN IP Sec encryption layer,
applies Gilat proprietary protocols, and handles the TCP Spoofing. The source of
the packet is changed to the Remote Data Server IP address and the destination is
changed to the IP address of the PC connected to the VSAT.
The VPNA runs on a Force card cPCI-690 platform under the VxWorks
environment. VPNA card is installed at the lower slot of the VPNA machine chassis.
On/Off
Power
VPNA machine chassis is one-U rack-mounted unit. Each VPNA machine chassis
contains one VPNA card.
Figure 3 shows the front panel of the VPNA card. The front panel contains one
Ethernet port (ETH 1) which is used for telnet connection to the VPNA. This
connection is used for Management/Control of the VPNA.
The VPNA front panel contains two identical RS-232 Serial ports. The lower Serial
port is used for terminal connection to the VPNA. The upper Serial port is not in use.
The VPNA RTM (Rear Transition Module) is connected to the back of the VPNA
card. One of the Ethernet ports (ETH 2) connects to the VPNS. This is the VPNA
Application connection. The rest of the ports on the VPNA RTM are not in use.
As shown in Figure 4, the VPNA machine chassis is installed in the mini hub rack.
Depending on the particular configuration of the customer’s network other
components supporting various can be installed in the rack containing VPNA
devices.
In Figure 4, an active and redundant VPNA cards are installed in the mini hub rack.
This section lists the main VPN features implemented in the SkyEdge system:
The EVPN client (VSAT containing the embedded VPN) acts as a generic IPSec
peer
− Authentication parameters
− Encryption parameters
Only one VPN tunnel is allowed per VSAT at any time. Up to five different VPN
Tunnel configurations can be defined for each VSAT. However, only one
configuration can work at a given moment.
The Local Management Interface enables the VPNA operator to log on to a web
portal or manually connect a serial console for basic configuration (IP address, IP
mask, boot options, loading files from TFTP, etc.). The machine arrives with default
values that enable immediate access to the web interface.
VPNA supports a one-to-one redundancy process, where VPNA devices are installed
in pairs: Active and Standby.
The two VPNA servers monitor each other’s operation continuously, over the
Control LAN connection. In case the Active VPNA server fails, the backup server
becomes the active one. The switchover between the servers is automatic without any
intervention of external entity.
While implementing the redundancy scheme, the VPNA is actually divided into two
units: active and standby. This duality is transparent to the rest of the network. The
pair of VPNA represents a single IP address – the Advertised IP Address – and
there is no need to add any additional functionality to the rest of the network
components in order to support the redundancy scheme. In addition, each VPNA has
a private IP address over the Control LAN.
Each VPNA machine’s Control interface must be connected to the same LAN in
order for the units to be able to exchange messages between them.
When the Standby VPNA becomes Active, it loads configurations, starts all the
pending tasks and then sends Gratuitous ARP on the Application port as to notify
routers about the change.
The Standby VPNA server will be activated under the following terms:
The Active VPNA detects a loss of connection on its Application port and reports
that to the Standby VPNA. Upon receiving this message, the Standby VPNA
starts the switchover process.
The Active VPNA detects a loss of connection on its Control LAN and
Application ports. The Active VPNA reboots automatically. During the reset of
the Active VPNA, the Standby VPNA detects that the Active VPNA is down and
performs the switchover.
Gilat supplies the embedded VPN client and the VPNA device components.
The customer is responsible for purchasing, configuring, and maintaining the VPN
server (VPNS).
The local network system administrator will supply the IPSec parameters for
configuring the VPN client.
NOTE
This section provides an example of a SkyEdge VPN setup. This example
should be used as a reference when learning about the SkyEdge VPN
feature.
The network topology and IP addressing scheme vary from one network
to another.
Figure 5, below shows a sample topology of a SkyEdge VPN network, where the
VPN Server and the DPS are connected via a Switch. In this setup, the VPNS
functions as the Border router of the system. This diagram also contains sample IP
addresses of the components.
NOTE
The IP addressing scheme provided in this section is for reference
purposes only.
The VPNA MIB file is supplied to the customers with the VPNA device. The VPNA
MIB file should be installed on the PC used for monitoring the VPNA operation.
This is the PC that is connected to the VPNA Control IP address. Any MIB Browser
can be used for viewing the VPNA MIB file.
The MIB Browser should be installed on the PC connected to the VPNA Control IP
address. After the installation is completed, open the MIB Browser and load the
VPNA MIB file.
Table 2 lists the VPNA SNMP telemetries and their explanations as they appear in
the VPNA MIB file.
Hub Configuration – this stage includes copying the VPNA software files to the
NMS Server, defining and configuring VPNA on the NMS, configuring VSATs
to support the VPN feature and preparing VPNA software files for the VPNA
installation at the Customer’s Data Center. All these procedures must be
performed at the SkyEdge Hub.
Customer’s Data Center – this stage includes VPNA installation and wiring and
VPNA configuration.
To configure the VPN feature in the SkyEdge network, perform the following steps
in this order:
NOTE
When configuring a SkyEdge network containing VPNA version 2.0.1.0,
use the SkyEdge Parameters Ver. 2.6 spreadsheet.
Since the VPNA does not automatically adjust its Backbone fragment size and its
TCP MSS, these two parameters are duplicated in the BB and the TCP sheets,
first they must be duplicated for the DPS, and then for the VPNA.
The Backbone MIR and Hub MIR are duplicated in the BB sheet, with values
decreased by 18% in the VPNA, and non-limiting values in the DPS.
A VPNA pack file. This file contains the VPNA operational software and the
VPNA operational file. The VPNA pack file is stored on the NMS Server.
NOTE
The VPNA_x.y.z.w_bin.bin file must be extracted from the VPNA software
pack file.
1. In the systems with NAS, log on to the NMS Server as administrator with
password $giLat$.
5. Verify that the VPNA_x.y.z.w_bin.bin file is extracted from the VPNA pack file
as shown in Figure 6 and Figure 7.
2. In the Hub View, right-click the NMS Server icon and select New Hub Element.
7. Click Next.
8. Leave the default value in the Device ID field. The Device ID parameter is not
the VPNA number. The Device ID parameter is not in use in the current software
version.
9. In the Element Alias field, enter the name of the VPNA device. This is the name
that will be displayed on the NMS.
10. In the IP Address field, enter the VPNA Administration IP address. This address
is assigned to the front-end Ethernet interface of the VPNA device. In the
systems, where the VPNA server is installed at the Remote Data Center, this
address is used for connection to the FTP server and for Web connection to the
VPNA.
11. In the MAC Address field, enter the VPNA MAC address as it appears on the
front panel of the VPNA card.
12. In the Description field, enter a few words describing the VPNA. This field is
optional.
Result: If the system contains a redundant VPNA and the Redundancy option
was enabled as described in step 6, the VPNA Redundancy window is
displayed (Figure 11).
If the system does not contain a redundant VPNA, the SNMP Information
window is displayed (Figure 12).
14. In systems containing a redundant VPNA, configure the IP and MAC addresses
of the main and VPNA Redundant devices and click Next.
Result: The VPNA icon is displayed in the upper-right corner of the Hub
View window.
17. Drag the new VPNA icon to its proper location in the Hub View window.
NOTE
VPNA can be also configured via the SkyManage utility. For more
information, refer to Section 6 Configuring VPNA via the Web Interface.
NOTE
If the VPNA redundancy is enabled, the MAC Address parameter on the
Element Definition tab is grayed out as shown in Figure 15. If there is
only one VPNA card in the system, its MAC Address value will be
displayed in the MAC Address field.
For information on how to configure the VPNA redundancy parameters,
refer to Section 3.6 Configuring VPNA Redundant Parameters.
NOTE
In the non-redundant VPNA setups, the default VPNA Virtual IP address
is 172.23.123.123.
NOTE
VPNA Backbone parameters are configured by Gilat Technical Support
according to the System spreadsheets.
7. Verify that the VPNA Fragment Size parameter is set to a value lower than the
DPS Fragment Size.
9. Configure the VPNA Data IP Address and Subnet Mask. These the IP address
and subnet mask of the VPNA user/Application Ethernet port. This port connects
to the VPNS.
10. Configure the VPNA Default Gateway IP Address. The VPNA Default gateway
IP address is the router’s interface connected to the VPNA application port.
14. Verify that the TCP Connection Keep Alive parameter is set to Enable.
15. Under Sizing, verify that the VPNA TCP Advertised MSS parameter is set to a
value lower than the DPS TCP Advertised MSS.
16. Enable or Disable NAT at the VPNA. The decision whether to use NAT is based
nature of the system applications and network architecture.
18. Configure the VPNA Advanced parameters, using the following guidelines:
Buffer Count – The number of memory buffers used internally by the VPNA.
VPN Server IP Address – The VPN Server IP Address that VPNA receives
from or sends to IP packets.
Raw IP Protocol Number – The IP protocol number that both the VPNA and
VSAT use to exchange packet between them.
Zero UDP Checksum – If entered, zeroes UDP checksum for locally destined
packets, and for packets sent by broadcast to the VSATs. UDP packets with a
checksum of zero are not checked for checksum.
Control Ethernet NIC – Defines which Ethernet NIC of FORCE card Ethernet
NICs is used for control.
Application Ethernet NIC – Defines which NIC of FORCE card Ethernet NICs
is used as the application port.
VPN Server Keep Alive – If enabled than the VPNA will ping VPNS every
predefined interval to determine its connectivity status. If disabled no keep alive
mechanism is activated. No matter the field value is, the VPNA will maintain its
regular functionality.
NOTE
This section is relevant when configuring a redundant VPNA. When
configuring the system with a non-redundant VPNA, skip this section and
proceed to Section 3.7 Committing VPNA Configuration and Creating
VPNA Config.xml File.
6. In the VPNA tree view of the VPNA Configuration window, click Redundancy.
NOTE
The Config.xml (otherwise known as Config or XML) file is the VPNA
configuration file that is created by configuring VPNA on the SkyEdge
NMS and issuing the Commit command (as described in this section).
The VPNA_x.w.y.z_Template.xml that is part of the VPNA pack file is not
the VPNA Configuration file.
2. Click OK.
5. Click OK.
NOTE
The Config.bck file is a backup file that is automatically created with the
Config.xml file.
To access the VPNA Config.xml file in the system with NAS, log on to the NMS
Server as Administrator with password $netWork$.
To access the VPNA Config.xml file in the system without NAS, log on to the
NMS Server as Administrator with password nms.
For the VPNA configuration changes to take effect, the VPNA must be rebooted. In
case, the VPNA is connected to the NMS via LAN for debugging/initial installation
process, refer to the procedure in this section for information on how to reboot the
VPNA from the NMS.
In general, the VPNA is rebooted from its local web page as described later in this
document, see Section 5.11 Rebooting VPNA.
To reboot VPNA:
3. Click Yes.
4. Wait for the VPNA server to become active, or in case of a redundant VPNA,
wait for both VPNA units to become active.
This section describes how to configure the static NAT feature at the VPNA.
Depending on the system configuration, you can use Static or Dynamic NAT. For
information on how to configure Dynamic NAT, see
Section 3.9.2 Configuring Dynamic NAT at the VPNA.
When using Static NAT, a static NAT entry must be configured for every PC behind
connected to a VSAT. This entry is then translated to one Public IP address.
6. To add a new entry, right-click the Static NAT Configuration table and select
Add Configuration.
Public IP Address – VSAT Public IP address. The public IP address of the hosts
must be configured in the same subnet as the VSAT main IP address. The VSAT
Main IP address is configured in the VSAT Data unique parameters in the VSAT
Ethernet port IP Profile section. The public IP address should be different from
the IP of the device.
This section describes how to configure the dynamic NAT feature at the VPNA.
Depending on the system configuration, you can use Static or Dynamic NAT. For
information on how to configure Static NAT, see
Section 3.9.1 Configuring Static NAT at the VPNA.
When using Dynamic NAT, private IP addresses of several PCs are translated to a
group of Public IP addresses.
5. Configure Dynamic NAT timers: TCP, UDP, and ICMP. These timers define a
timeout for the release of the Public-Private ports. This can be specified for when
the ports are defined as TCP, UDP, or ICMP (pings). If the TCP/UDP/ICMP port
remains inactive for the specified timeout, the assigned Public IP address is
released and can be reassigned to a different private IP address.
7. To add a new entry, right-click the Dynamic NAT Configuration table and select
Add Configuration.
In networks containing applications that do not support NAT, static routing entries
must be configured on the Destination PC connected to the VPNA. Using NAT in a
network ensures that the Destination PC sends packets addressed to the VSATs to the
VPNA.
When NAT is not used in a network, static routing entries must be defined at the
Destination PC, as to ensure that the returning packets will be sent to the VPNA and
not directly to the PC’s default gateway - VPNS. The VPNA will then forward the
packets to the VPNS.
As a result of this routing entry, all packets addressed to the VSAT IP address, will
be delivered first to the VPNA IP address. The –p key indicates that the routing
entry is permanent.
3.10 Copying the VPNA Operational and Configuration Files to an External Device
After defining and configuring VPNA files on the SkyEdge, copy the following files
to an external device (e.g., disk-on-key):
Config.xml – create after configuring the VPNA at the NMS and committing the
configuration changes.
These files will be used during VPNA installation and configuration at the Data
Center site.
NOTE
All procedures described in this section must be performed for each
VSAT that will be use the VPN feature.
2. Browse to the VSAT you want to configure and double-click the VSAT icon.
VSAT Enhanced IP
NOTE
Only one VPN tunnel is allowed per VSAT at any time. Up to five different
VPN Tunnel configurations can be defined for each VSAT. However, only
one configuration can work at a given moment.
If set to Yes, the NMS VPN Tunnel configuration overrides IPSec parameters
configured via the VSAT Web interface.
If set to No, the VSAT Web IPSec configuration will take precedence over the
NMS configuration.
4. Set the Crypto Type parameter to Internal. The Crypto Type parameter
indicates whether the VSAT (Internal) or an external router (External) will
perform the crypto (encryption) tasks. In a typical VPN network configuration,
this parameter should be set to Internal.
6. Right-click the VSAT VPN Tunnel Instances table and select Add VPN Tunnel
to add one VPN Tunnel instances or select Add Multiple VPN Tunnel instances.
Up to five tunnels can be defined for each VSAT.
Result a new VPN Tunnel instance containing default values is added to the
table.
(False). Valid values: True, False. In the Gilat standard configuration, the
Automatic Connect parameter should be set to True.
VPN Server – Defines the IP address of the customer’s VPN Server end-point.
The default VPN Server IP address is 172.24.4.254.
VPNA cpa number – Defines the (CPA) number of the VPNA Server.
IKE Encryption – Valid values: DES, 3DES, AES. See IPSec Encryption
(above). The value of this parameter must match the IPSecEncryption value. The
default value is 3DES.
PFS – Enables/Disables the Perfect Forward Secrecy feature. Values: Yes, No.
Default Route - Set this VPN tunnel to be the default routing entry for the
VSAT. Values: Yes, No.
Result: The VSAT VPNA Tunnel parameters are displayed as a table row.
10. Scroll to the right until the Local Secure Group parameter is displayed.
NOTE
The Local Secure Group parameters define IP addresses connected to
the VSATs via LAN that are allowed to access the VPN tunnel.
The Remote Secure Group parameters define IP address which will go
through the VPN tunnel. Messages to other IP addresses (not configured
in the Remote Secure Group) will be forwarded normally. This is the
secure network behind the VPNA.
12. Right-click the Local Secure Group parameters table and select
Add Local Secure Group.
Result: The VSAT VPNA Tunnel parameters are displayed as a table row.
15. Scroll to the right until the Remote Secure Group parameter is displayed.
17. Right-click the Local Secure Group parameters table and select
Add Remote Secure Group.
For the configuration changes to take effect, the modified VSATs must be reset.
2. Click OK.
5. To reset one VSAT at a time, right-click the VSAT icon and select
CommandsAccessReset.
6. To reset multiple VSATs at the same time, right-click the relevant VSATs and
select Reset.
7. Click Yes.
8. Verify that VSATs complete the power up sequence and enter the Backbone Up
state.
NOTE
This document describes the installation of VPNA version 2.0.1.0. This
document does not cover VPNA upgrade procedures.
For information about VPNA upgrade procedures, contact Gilat Technical
Support.
This section contains the following procedures that should be performed in this
order:
Installing VPNA
Rebooting VPNA
5.1 Preparing for the VPNA Installation at the Data Center Site
Before installing the VPNA at the Data Center site, verify that you have the
following:
A serial cable (DB-9 Female to Micro D-Sub Male) Gilat P/N CB-0383-10.
An Ethernet cable to connect the card to the PC (either a crossed cable or two
straight-through cables and an Ethernet hub).
To connect VPNA:
1. Install the VPNA card into the lower slot of the VPNA chassis.
2. Connect the VPNA RTM (Rear Transition module) Ethernet port to the VPNS
network. This is the permanent operation connection.
3. Connect the console port on the VPNA Front panel to the PC serial connection.
This connection is used for management purposes.
4. Connect the VPNA card’s front end Ethernet port to the PC’s LAN connection.
This connection is temporary and it is used for installation purposes.
NOTE
Do not power up the VPNA at this stage.
Gilat recommends working with the VPNA in the Automatic Flash Boot mode.
At this mode, each time the VPNA is powered on or reset, the BOOTER reads
operational software from the active operational flash bank, loads it to memory and
executes it. The VPNA application reads configuration file from active configuration
flash bank.
NOTE
For more information about other VPNA Boot modes, refer to Appendix A
- VPNA Boot Modes.
For VPNA to operate in the Automatic Flash Boot mode the operational and
configuration files must be programmed to the VPNA Flash memory in advance,
through http upload (WEB) or TFTP/FTP (CLI) and the active operational and
configuration memory banks must be defined.
CAUTION
This procedure assumes is that the VPNA Booter application has already
been programmed in the VPNA card’s flash memory. For more
information refer to Gilat Technical Support.
1. Copy the VPNA software files from the external device to the Laptop. The
following files must be copied:
VPNA_02.00.01.00_bin.bin
Config.xml
2. Verify that the NIC that is connected to the VPNA is the only available
connection.
3. Open the TFTP server application and verify that it is connecting through the
correct IP address.
5. Follow the progress of the VPNA power-up process via the VPNA Console on
the PC.
NOTE
Figure 47, below, shows an example of the VPNA console printout during
the VPNA power-on process.
The actual printout during the VPNA installation may differ from the one
shown below.
Autoboot enabled...00s
Copy USER_FLASH Memory1/2/3/4 to 0x00900000...
VxWorks
0 |##################################################| 100%
Done.
VPNA-BOOTER>
Figure 47: Switching to the VPNA Manual Boot Mode
NOTE
This section describes how to configure VPNA Control port IP address for
enabling Web access to the VPNA.
This procedure can be performed only via the VPNA console.
2. Configure the VPNA Control port IP address and Dummy Server IP address by
issuing a bootchange command (as shown in the listing below) and entering data
in the following fields:
inet on ethernet (e) – VPNA control port IP address. Available during Booter
and VPNA application execution. This is a temporary server IP address that will
be used for VPNA configuration. This address will be used for Web connection
to the VPNA. The value differs depending on whether the system contains one or
two VPNA cards (non-redundant vs redundant).
NOTE
In the non-redundant VPNA setups (where only one VPNA card is
installed), the inet
VPNA-BOOTER>bootchange
VPNA-BOOTER>
3. Reboot the VPNA card by issuing the reset command and pressing Enter.
VPNA-BOOTER> reset
cli_func: Resetting VPNA Booter...
4. Wait until the VPNA>BOOTER prompt reappears indicating that the reset
process is complete.
CAUTION
Loading an incorrect VPNA Operational file may cause the VPNA to be
inaccessible via the web interface. In this case, the VPNA should be
accessed through its console connection.
This section describes how to load the VPNA operational file into the VPNA
memory banks. VPNA has two memory banks (Bank A and Bank B) that store
VPNA software file. The VPNA operational file (VPNA_02.00.01.00_bin.bin)
should be programmed in both banks. Then, one memory bank is selected as active
bank from which the file will be loaded. By default, the active bank is Bank A.
NOTE
Use the procedure described below to load the VPNA Operational file to
both VPNA Flash banks.
1. On the Laptop connected to the VPNA, open the Internet Explorer and type the
VPNA Management IP address as the URL address:
http://<VPNA management IP address>. The default value is 172.23.123.123.
2. The SkyManage VPNA Status page provides information about the VPNA status.
At this stage of the installation, the VPNA should be in the Manual Boot mode, as
shown in Figure 50.
For more information about the VPNA Status page, refer to
Section 7.1.1 VPNA Status.
Password - $Sat3998$
5. Click OK.
7. Select the Flash memory bank (Bank A or Bank B) to which the Operational
file will be loaded.
8. In the Load Operational file box, enter the full path and name of the VPNA
Operational file or click Browse to locate the file on the PC.
9. Click Load .
11. Wait for the file loading process to complete. Depending on the file size, this
process may take up to a few minutes.
13. Load the VPNA Operational file to the second Flash memory bank as described
in steps 5 through 11.
5.7 Selecting the Active Memory Bank for the Operational File
This section explains how to select the active VPNA memory bank from which the
Operational file will be loaded.
1. In the SkyManage Configuration page, select Boot Params from the left menu.
2. Under Program Active Bank selection to flash, in the Select file type section,
select VPNA Operational file.
3. In the Select active bank section, select the master memory bank (e.g., Bank A)
from which the VPNA Operational file will be loaded.
CAUTION
Loading an incorrect VPNA Configuration file may cause the VPNA to be
inaccessible via the web interface. In this case, the VPNA should be
accessed through its console connection.
This section describes how to program the VPNA configuration file (Config.xml)
into the VPNA memory banks. VPNA has two memory banks (Bank A and Bank B)
that store VPNA software files. The VPNA configuration file should be programmed
in both banks. Then, one memory bank is selected as active bank from which the file
will be loaded. By default, the active bank is Bank A.
NOTE
Use the procedure described below to load the VPNA Configuration file to
both VPNA Flash banks.
The Config.xml file is the VPNA configuration file that was created using the
SkyEdge NMS as described in Section 3.5 Configuring VPNA Parameters.
2. Select the VPNA Flash memory bank (Bank A or Bank B) to which the
Configuration File will be loaded.
3. In the Load Configuration file box, enter the full path and name of the VPNA
Configuration file or click Browse to locate the file on the PC.
4. Click Load.
6. Wait for the file loading process to complete. Depending on the file size, this
process may take up to a few minutes.
7. Click OK.
8. Load the VPNA Configuration file to the second Flash memory bank as
described in steps 1 through 7.
5.9 Selecting the Active Memory Bank for the Configuration File
This section describes how to select the active VPNA memory bank from which the
Configuration file will be loaded.
1. In the SkyManage Configuration page, select Boot Params from the left menu.
Figure 61: Programming Active Bank for the VPNA Configuration File
2. Under Program Active Bank selection to flash, in the Select file type section,
select VPNA Configuration file.
3. In the Select active bank section, select the master memory bank (e.g., Bank A)
from which the VPNA Operational file will be loaded.
NOTE
For information on how to set the VPNA Automatic Flash Boot mode from
the CLI, refer to Appendix C – Selecting Automatic Flash Boot Mode from
the VPNA Console.
1. In the VPNA SkyManage page, select Boot Params from the left menu.
3. In the Select Boot mode section, select the Automatic Flash boot mode.
NOTE
If an error message is displayed, select the Automatic Boot mode
manually from the console as described in Appendix C – Selecting
Automatic Flash Boot Mode from the VPNA Console.
NOTE
For the configuration changes to take effect, the VPNA must be reset. For
information on how to reboot the VPNA through the VPNA CLI, refer to
steps 3-4, Section 5.5 Configuring VPNA IP Addresses.
4. Click OK.
5. Wait for the VPNA to complete its power-up sequence. Press F5 to refresh the
VPNA web interface.
6. When the power-up process is completed, the VPNA Status page is displayed as
shown below.
The VPNA Redundancy mechanism requires placing two VPNA machines (pizza-
boxes) at the customer’s Data Center, each operating one compact CPI card running
the VPNA operational software.
1. Install the VPNA card into the lower slot of the redundant VPNA chassis.
1. Connect the VPNA RTM (Rear Transition module) Ethernet port to the VPNS
network. This is the permanent operation connection.
Rebooting VPNA
NOTE
VPNA can be also configured via the SkyEdge NMS. For more
information, refer to Section 3 Configuring VPNA at the SkyEdge Hub.
VPNA Web configuration interface is similar to the SkyEdge VPNA NMS
configuration windows. For VPNA configuration guidelines, refer to
Section 3.5 Configuring VPNA Parameters.
1. On the Laptop connected to the VPNA, open the Internet Explorer and type the
VPNA Management IP address as the URL address:
http://<VPNA management IP address>. The default value is 172.23.123.123.
Figure 69: SkyManage Menu Bar with the Tools Option Selected
5. Click Backbone.
7. Click PortsApplicationIP.
9. Click PortsApplicationTCP.
12. Configure VPNA NAT settings as described in Section 3.9 Configuring VPNA
NAT Parameters.
13. If the system contains a redundant VPNA card, click Redundancy to configure
the VPNA Redundancy parameters. If there is only one VPNA card in the system,
skip this step and proceed to step 14.
17. If any changes were made, submit VPNA configuration and reboot the VPNA
card as described in Section 6.2 Submitting VPNA Configuration Changes.
For the VPNA configuration changes to take effect VPNA configuration must be
submitted and then the VPNA card must be rebooted.
NOTE
Gilat recommends loading VPNA configuration changes into both VPNA
memory banks.
5. Click OK
6. Load VPNA configuration changes to the second Flash memory bank (Flash-B)
as described in steps 1 through 5.
The Configuration Version Check option serves to verify that the VPNA
Operational Software version matches the Configuration file version. If there is a
mismatch, the VPNA reboots.
1. In the left pane of the VPNA SkyMange page, click Set Config Version Check.
3. Click Update.
4. Click OK.
6. Click OK.
4. Click OK.
7. VPNA Monitoring
Operation Time – indicates the period since the last VPNA reboot.
Operation Time – indicates the period since the last VPNA reboot.
To access the VPNA Info page, click Info on the Status menu.
NOTE
The VPNA CPU telemetry is also available from the VPNA Console. For
information about the VPNA Console commands, refer to Section 7.2
VPNA Console Commands.
The VPNA CPU telemetry displays the current VPNA CPU utilization in percents.
NOTE
If the VPNA CPU utilization approaches 80%, contact Gilat Technical
Support.
4. Right-click the Graph icon and select the length of the graph in minutes.
Result: The CPU Utilization graph of the selected length (in minutes) is
displayed.
Minimal – indicates the minimal CPU Utilization since the CPU Utilization
telemetry has been evoked.
Peak - indicates the highest CPU Utilization since the CPU Utilization telemetry
has been evoked.
Average - indicates the minimal CPU Utilization since the CPU Utilization
telemetry has been evoked.
NOTE
The VPNA Active BB Links telemetry is also available from the VPNA
Console. For information about the VPNA Console commands, refer to
Section 7.2 VPNA Console Commands.
The VPNA Active Backbone Links telemetry displays the number of currently
active VPN (VSAT-VPNA) links.
2. In the left pane of the SkyManage Telemetry page, click Active BB Links.
CPA – the unique ID number of the VSAT that is currently connected to the VPNA
via the VPN tunnel.
VSAT State
− SDCE – this is an internal VPNA state and indicates that a VSAT has sent a
packet to the VPNA while the VPNA was being reset.
VSAT Mode
Total Backbone Links UP – the number of VSATs that were in the Backbone
Up state were connected to the VPNA via the VPN link when the command was
issued.
The VPNA monitoring is done mostly using the VPNA Console commands.
CAUTION
Incorrect use of the VPNA Console commands will damage the system.
The VPNA Console commands should be used by experienced personnel
trained to work with SkyEdge equipment.
VERSION
BB LINKS
CPU Utilization
IP RTDMP
ROUTE PRINT
OB STAT
IB STAT
VIEW
7.2.1 VERSION
Command Name
Version
Purpose
To display the VPNA software version number and the date that it was created.
Syntax
version
Example
VPNA10>version
version
1970-JAN-17 03:32:16
VPNA software compiled on Apr 11 2006, 12:09:52, Running XML
version: 02.00.01.00
7.2.2 BB LINKS
Command Name
Backbone Links
Purpose
Syntax
bb9links
Example
VPNA10>bb links
bb links
1970-JAN-17 03:30:50
-----------------------------------------------------------------
Backbone Links On VPNA
-----------------------------------------------------------------
-----------------------------------------------------------------
Total Backbone Links UP = 0
Total Links configured = 32640
-----------------------------------------------------------------
Explanation
The VPNA Active Backbone Links command provides the following information
for each VSAT that is connected to the VPNA via a VPN link at the time the
command is issued:
CPA – the unique ID number of the VSAT that is currently connected to the VPNA
via the VPN tunnel.
VSAT State
− SDCE – this is an internal VPNA state and indicates that a VSAT has sent a
packet to the VPNA while the VPNA was being reset.
VSAT Mode
Total Backbone Links UP – the number of VSATs that were in the Backbone
Up state were connected to the VPNA via the VPN link when the command was
issued.
Command Name
CPU
Purpose
NOTE
If the VPNA CPU utilization approaches 80%, contact Gilat Technical
Support.
Example
VPNA10>cpu
cpu
1970-JAN-17 03:32:19
cpu utilization: 0% max cpu utilization was 100%
Explanation
The VPNA CPU telemetry displays the current VPNA CPU utilization in percents
and the maximum CPU utilization since the VPNA was last reset.
7.2.4 IP RTDMP
NOTE
The ip9rtdmp command provides the same information as the
route9print command.
For more information about the route9print command, refer to
Section 7.2.5, ROUTE PRINT.
Command Name
IP Route Dump
Purpose
To display the contents of the VPNA routing table as it appears at the time the
command is issued. The ip9rtdmp command provides a momentary snapshot of the
VPNA routing table.
Static routes
RIP dynamic routes. The ip9rtdmp command displays valid RIP dynamic
routes. The expired routing entries are not displayed by this command.
NOTE
To restart the ip9rtdmp counters, the VPNA must be reset.
Syntax
ip9rtdmp
Example
VPNA10>ip rtdmp
ip rtdmp
1970-JAN-17 03:31:37
VLAN 0
---------------+---------------+---------------+----+----+-----+----------+-----
IP | MASK | GW | IF | MT | ttl | ref | GID
---------------+---------------+---------------+----+----+-----+----------+-----
0. 0. 0. 0| 0. 0. 0. 0| 10. 2. 2.254| 2 | 1 | 9999| 31798| 0
10. 2. 0. 0|255.255. 0. 0| 10. 2. 2. 2| 2 | 0 | 9999| 71512| 0
10. 2.255.255|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 0| 0
10. 2. 2. 2|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 63522| 0
10. 2. 0. 0|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 87| 0
---------------+---------------+---------------+----+----+-----+----------+-----
Total route entries: 5
--------------------------------------------------------------------------------
Explanation
NOTE
The first entry in the VPNA routing entry defines the VPNA Default
Gateway address. If the packet’s destination address does not match any
of the entries in the routing table, the VPNA will forward to its Default
Gateway. In a standard configuration, the VPNS server is the VPNA
Default Gateway.
IF – VPNA Interface:
− 2 – Ethernet
− 0 – Local (VPNA)
− 3 – Satellite interface
− According to this example, the VPNA routing table contains two entries on
the VPNA Ethernet interface and three entries on the VPNA local interface.
MT (Metric) – the number of hops between the packet source and destination.
TTL (Time to Live) –the period during which the routing entry is valid.
Reference – the number of packets received by the VPNA from the selected
interface since the VPNA was last reset.
Total Routing Entries – the number of routing entries in the VPNA routing
table.
Purpose
To display the contents of the VPNA routing table as it appears at the time the
command is issued. The route9print command provides a momentary snapshot
of the VPNA routing table. To display information about all VLANs configured in
the system, use the route9print9all command.
Example
VPNA10>route print
route print
1970-JAN-17 03:32:11
VLAN 0
---------------+---------------+---------------+----+----+-----+----------+-----
IP | MASK | GW | IF | MT | ttl | ref | GID
---------------+---------------+---------------+----+----+-----+----------+-----
0. 0. 0. 0| 0. 0. 0. 0| 10. 2. 2.254| 2 | 1 | 9999| 31798| 0
10. 2. 0. 0|255.255. 0. 0| 10. 2. 2. 2| 2 | 0 | 9999| 71512| 0
10. 2.255.255|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 0| 0
10. 2. 2. 2|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 63522| 0
10. 2. 0. 0|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 87| 0
---------------+---------------+---------------+----+----+-----+----------+-----
Total route entries: 5
--------------------------------------------------------------------------------
Explanation
For explanation of the route print command refer to Section 7.2.4 IP RTDMP.
7.2.6 OB STAT
Command Name
Outbound Statistics
Purpose
Syntax
obstat
Example
VPNA10>obstat
obstat
1970-JAN-17 03:32:32
JAN 17 03:32
********** VPNA Outbound Statistics *************
----------------------------------------------------
Total packets handled to Outbound : 31778
Total packets sent to VPN Server : 31778
Total packets failed to be sent : 0
Total multicast\broadcast packets (discarded): 0
Total packets when BB link down (discarded): 0
----------------------------------------------------
Explanation
Total packets sent to VPN Server – indicates the number of packets sent to the
VPNS to be forwarded to the VSATs. This parameter should be equal to the
Total packets handled to Outbound parameter.
Total packets failed to be sent – the total number of packets that could not be
sent.
7.2.7 IB STAT
Command Name
Inbound Statistics
Purpose
To display the VPNA Inbound statistics. The ibstat command provides statistics
about the traffic from the VSATs to the Destination PC at the Remote Data Center.
Syntax
ibstat
Example
VPNA10>ibstat
ibstat
1970-JAN-18 05:45:23
JAN 18 05:45
********** VPNA Inbound Statistics *************
----------------------------------------------------
Total packets recv with VPN RAW IP protocol : 31744
Total packets recv with destination VPNA : 31744
Total packets handled successfully : 31744
Total packets handling failed : 0
Total packets failed on invalid VSAT CPA : 0
Total packets failed on invalid IP packet size : 0
Total packets failed on VPNS table full : 0
----------------------------------------------------
Explanation
Total packets received with VPN RAW IP protocol – indicates the number of
Raw IP packets received by the VPNA.
Total packets handled successfully – the total number of packets that were
successfully transmitted to the Destination PC by the VPNA.
Command Name
View
Purpose
To display the VPNA configuration. The view command lists the VPNA
configuration parameters and their values.
Syntax
view
Example
VPNA10>view
VPNA Boot parameters:
BANK A
vpna_boot_A_valid [0xda5ac011] [VALID]
crc_boot_A [0x593f2b] [VALID]
len_boot_A [0x2f3a60] [Bytes]
label_boot_A [Config_08-01-06]
BANK B
BANK A
vpna_config_A_valid [0xda5ac011] [VALID]
crc_config_A [0x79f98f84] [VALID]
len_config_A [35039] [Bytes]
label_config_A [config1]
BANK B
vpna_config_B_valid [0xda5ac011] [VALID]
crc_config_B [0x42a751ad] [VALID]
len_config_B [35039] [Bytes]
label_config_B [config1]
==============================================================
view
The ip nat hlist command displays VPNA dynamic NAT table as it appears at
the time of issuing the command.
The redun stat command displays the status of the current and remote VPNA
units.
NOTE
This redun main and redun listen and commands are used for
debugging and are for internal use only.
To configure the Cisco VPN Server, run a configuration file similar to the one shown
in Section 8.1 VPN Server Configuration. Refer to Section 8.1.1 Router
Configuration without Comments for an example of router configuration without
comments.
By default, the VPN Server looks for these files locally. In these listings, comments
are preceded by Remark, are in italics and are grayed out.
This section contains a sample configuration for the VPN Server (VPNS). Typically
VPN Server is a Cisco router.
This configuration of the VPNS is taken from the sample SkyEdge setup described in
Section 2.4 SkyEdge VPN Sample Setup and IP Addresses.
VPNS configuration:
Remark: This defines the shared secret key for each peer (VSAT).
There must be a separate
line for every peer.
!
crypto isakmp key 12345678 address 10.10.2.1
!
Remark: The following 4 lines enable the 4 ipsec options for DES,
3DES, MD5, and SHA1 The ipsec configuration must be configured
per VSAT. It will not be automatic. This is why we bind every
crypto map to a specific ipsec transform set.
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
!
call rsvp-sync
!
Router#
NOTE
Verify that the VPNS configuration does not contain the
default gateway IP line.
This section contains an example of the VPNS configuration for Cisco router without
comments. This example can be copied to the router as is.
CAUTION
Review the configuration below prior to copying it to the VPNS router.
config t
!
ip subnet-zero
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key 12345678 address 10.10.2.1
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer 10.10.2.1
set transform-set test
match address 120
!
call rsvp-sync
!
interface Ethernet0/0
ip address 172.24.4.254 255.255.0.0
half-duplex
crypto map nolan
!
interface Ethernet0/1
ip address 10.2.2.254 255.255.255.0
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.24.4.1
ip http server
!
access-list 120 permit ip host 10.2.2.2 host 10.10.2.1
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
password gilat
login
!
end
!
wr mem
!
After completing the installation and configuration of the VPNA and VPNS at the
Customer’s site and VSATs at the Central Hub site, the engineer should perform the
following basic troubleshooting procedures:
1. Verify that the VPN LED on the VSAT Front panel is green. The VPN LED
turns on when the VPN network is fully configured and after the VSAT is reset.
During normal operation, the VPN LED should be on indicating that the VPN
tunnel is operational.
2. Issue a ping command from the VSAT to the VPNA and VPNS application
interface.
3. Issue a ping command from the VSAT to the Data Server at the Customer’s Site.
4. Perform FTP download/upload from the VSAT to the Data Server at the
Customer’s Site.
− This issue is relevant only when VPNA is operating in the VPNA Flash boot
mode. When VPNA is operating in the VPNA Automatic Flash boot mode,
the recommended mode, this issue is not relevant.
− When VPNA is operating in the Flash boot mode and is connected to the
SkyEdge NMS, the NMS Commit command will not export the VPNA
Config.xml file to the VPNA. In this case, the user should load the VPNA
Configuration file manually to the VPNA device as described in Sections
5.8 and 5.9.
− When upgrading VPNA from version 2.x.y.x to a higher version, verify that
the Booter version is also 2.x.x.x.
− For a detailed procedure on the VPNA upgrade from version 2.x.y.z and
higher, refer to the Upgrading VPNA from Version 0.2.x.y.z to a Higher
Version guide (DC-414710).
VPNA_x.w.y.z_Template.xml
− In the redundant VPNA setups, the inet on ethernet parameter (part of the
bootchange command) should be set to the VPNA Private IP address as it
appears in the Redundancy parameters section of the VPNA Configuration
file. The default Private IP address for the first VPNA card is 172.17.4.2
and 172.17.4.3 for the second VPNA card.
This section explains how to use the VPNS debugger for SkyEdge VPN tunnels
Result: The VPNS debugger tool is switched on. All VPNS activities will be
tracked on the screen until the debugger is switched off.
Result: The All possible debugging has been turned off message is displayed.
Only one Boot mode can be operational at any time. The default Boot mode after
installation is Manual. The other modes determine where the VPNA stores its files
and the actions required to ensure access to these files. After completing the
installation the VPNA boot mode should be set to Automatic Flesh.
Manual: When the Booter stops, the user can modify configuration parameters.
Automatic Flash: The Booter reads operational software from the active
operational flash bank, loads it in memory, and executes it. The VPNA
application reads the configuration file from the active configuration flash bank.
The user must specify the active operational and configuration flash banks and
must upload the operational and configuration files to flash via http (Web) or
TFTP/FTP (CLI). This is the default VPNA boot mode.
Bootp: The Booter receives the VPNA control IP address via a BOOTP request
and continues as described in Automatic External mode. The Server IP address
and the file paths are in the BOOTP reply and are loaded automatically. This
mode is usually not available at the customer site.
11. Appendix B - Switching to the VPNA Manual Boot Mode via the Web
3. Push the VPNA Power button. If the VPNA is already powered on, reboot the
VPNA as described in Section 5.11 Rebooting VPNA.
Result: The VPNA starts its power-up sequence and the SkyManage VPNA
Configuration page is updated.
4. The SkyManage VPNA Status page provides information about the VPNA status.
After the VPNA is switched on, it enters the Flash Boot mode as shown in
Figure 92.
The Operation time parameter indicates how long the VPNA has been in the
current operation mode. The Countdown (sec) till boot loads operational
software indicates how long it will take until the boot mode loads completely. For
more information about the VPNA Status page, refer to Section 7.1.1 VPNA
Status.
Result: The Auto boot process has been stopped message is displayed.
6. The VPNA switches to the Manual Boot mode as can be seen in the VPNA Status
page.
12. Appendix C – Selecting Automatic Flash Boot Mode from the VPNA Console
This section describes how to select VPNA boot mode manually via the VPNA
console. This procedure should be used only if an error was received during the
programming boot mode procedure as described in
Section 5.10 Selecting Automatic Flash Boot Mode from the Web.
Result: The VPNA card is reset. The VPNA<CPA> prompt is displayed after
the VPNA power-up sequence is completed.