lotus mobile connect: lotus mobile connect …€¦ · mobility client log in and password ... and...

Lotus® Mobile ConnectVersion 6.1.4

Troubleshooting Guide

��

Note

Before using this information and the product it supports, read the information in Notices.

This edition applies to version 6, release 1, modification 3 of IBM Lotus Mobile Connect (product number 5724-R20)and to all subsequent releases and modifications until otherwise indicated in new editions.

When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in anyway it believes appropriate without incurring any obligation to you.

© Copyright International Business Machines Corporation and others 1994, 2010. All rights reserved.

Note to U.S. Government Users — Documentation related to restricted rights — Use, duplication or disclosure issubject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp.

Contents

Chapter 1. Troubleshooting guide. . . . 1Before you call IBM Support . . . . . . . . . 1Locating the problem . . . . . . . . . . . 3Installing and using the IBM Support Assistant . . . 3Determining the version of code installed. . . . . 6

Obtaining service updates . . . . . . . . . 6Determining the service level of the ConnectionManager . . . . . . . . . . . . . . . 6Determining the service level of Mobility Clients . 7Determining the service level of Gatekeeper . . . 7

Troubleshooting checklists . . . . . . . . . . 7Mobility Client log in and password problems . . 7Mobility Client problems . . . . . . . . . 14Connection Manager problems . . . . . . . 18Persistent data storage problems . . . . . . 23Application problems . . . . . . . . . . 26Gatekeeper problems . . . . . . . . . . 26

Determining the status of resources . . . . . . 28Verifying Connection Manager processes . . . . 29Verifying the portmap daemon is enabled forautomatic start-up on AIX systems . . . . . . 29Port number information . . . . . . . . . . 30

Supported locales . . . . . . . . . . . . 32Using access manager logs . . . . . . . . . 34Using Connection Manager logs . . . . . . . 34

Message log . . . . . . . . . . . . . 36Account log . . . . . . . . . . . . . 37Trace log . . . . . . . . . . . . . . 44

Testing for UDP packet loss . . . . . . . . . 44Troubleshooting tips . . . . . . . . . . . 45Finding broadcast errors when using mobile accessservices. . . . . . . . . . . . . . . . 46Determining the status of an X.25 link on AIX . . . 47

Monitoring X.25 data flow . . . . . . . . 47Sending network management traps . . . . . . 48

Trap variables . . . . . . . . . . . . 48Trap severity . . . . . . . . . . . . . 48Trap descriptions . . . . . . . . . . . 49

Chapter 2. Notices . . . . . . . . . . 53Trademarks . . . . . . . . . . . . . . 55

Index . . . . . . . . . . . . . . . 57

iii

iv Lotus Mobile Connect: Lotus Mobile Connect Troubleshooting Guide

Chapter 1. Troubleshooting guide

This guide can assist you with problems that you might experience, includingproblems with installation.

This guide is designed to serve as a self-help tool to help you resolve yourproblem without having to call IBM® support. If you do have to call IBM support,this guide provides the information you will need to help your IBM servicerepresentative better diagnose and resolve your problem.

Use this information to help determine and resolve problems with IBM Lotus®

Mobile Connect. It explains how to:v Determine the status of various resources, devices, and linksv Determine the level of the code installedv Verify Connection Manager processesv Troubleshoot login and password problems or other problems with specific

symptomsv Determine what to do before calling IBM supportv View messages in the message log filev Monitor packet flowv Use troubleshooting tipsv Get port number and supported locale informationv Get a description of trap severity codes

Use these links to consult other available troubleshooting resources:v Service update informationv Information centerv Technotesv Other product information (reference manuals, white papers)

In this guide, you will see the following icons:

Points out important notes to the reader.

Highlights tips for the reader.

Before you call IBM SupportService personnel responding to a request for help might ask these questions.v Which level of code is installed for the Connection Manager, Gatekeeper, and

Mobility Client? See Determining the version of code installed to determine theversion numbers and how to access the available software downloads.

v Have you checked to see if your network carrier has been out of service?v Have you registered the problematic mobile unit (MAN or LLI)?v Is this a new mobile device or has it worked before?

1

http://publib.boulder.ibm.com/infocenter/lmc/v6r1/index.jsp

http://www-01.ibm.com/support/search.wss?rs=3183&tc=SSVLBW+SSZQDW&atrn=IBMTask&atrv=SP&dc=DB520+D800+D900+DA900+DA800+DB560&dtm

http://www.ibm.com/support/search.wss?rs=804&tc=SSZQDW&dc=DA400&rankprofile=8

v Did the start of the problem coincide with any changes you made to hardwareor software?

If you have determined that you need IBM assistance to solve a problem, thencomplete this IBM support checklist. The information in this checklist is used bythe IBM Support Center to help diagnose your problem. Print a copy of this list,and then fill in the blanks, before contacting IBM for support.

Description of the problem and the environment

1. Problem summary:____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

2. Specify the Connection Manager version number and build date:_______________________________________________________________________________

See Determining the version of code installed to determine the versionnumber and how to access the available software downloads.

3. On what operating system is the Connection Manager running? What level ofthe operating system is installed? Are any maintenance levels or fix packsapplied to the operating system?_______________________________________________________________________________

4. Which relational database product is installed and what version is it? Are anyfix packs installed?_______________________________________________________________________________

5. Is the database server located on the same physical machine as the ConnectionManager?_______________________________________________________________________________

6. Which DSS (directory service server or LDAP (If LDAP is used)) product doesthe Connection Manager connect to and what version is it?_______________________________________________________________________________

7. Is the DSS server located on the same physical machine as the ConnectionManager?_______________________________________________________________________________

8. If the Gatekeeper is involved with this problem, what version of theGatekeeper is installed, and on what operating system is it running?_______________________________________________________________________________

9. Which device or devices are being used to connect to the ConnectionManager?_______________________________________________________________________________

10. Which version(s) of the Mobility Client are being used to connect to theConnection Manager?_______________________________________________________________________________

11. Which operating systems are being used for the Mobility Clients?______________________________________________________________________________________________________________________________________________________________

12. If a modem or network card is in use, list the manufacturer, model, andnetwork over which it operates._______________________________________________________________________________

13. List any and all error messages (if any are received) from the Mobility Client.

2 Lotus Mobile Connect: Lotus Mobile Connect Troubleshooting Guide

______________________________________________________________________________________________________________________________________________________________

14. Steps to recreate the problem:_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

15. Describe the network environment:_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Locating the problemThe current state of the Connection Manager is determined by the followingcomponents:v Real status of the network interfacesv X.25 link statusv X.25 monitoringv Connection Manager processesv File system statusv Log messagesv Persistent storage

Installing and using the IBM Support AssistantThis section describes how to install, configure, and use the IBM Support Assistant(ISA) for Lotus Mobile Connect.

Installing the Lotus Mobile Connect plug-in for ISA allows you to navigate the ISAutility, using these tabs:v Search lets you search various sites for Lotus Mobile Connect issues.v Education provides web links to education materials.v Support provides web links to support materials.v Services lets you create problem management records (PMRs) and automatically

collect and ship problem documentation.

Considerations before you beginv In the current implementation of ISA, you can only display PMRs that were

created using the electronic service reporting (ESR) system or using ISA.v For electronic submission of PMRs, you must have an IBM Passport Advantage®

account. Use this account ID and password to log on and enable access to theESR system. To list yourself as an IBM Authorized caller in ESR, see the ESRhelp information. on the Software support site.

v If you want to use ISA's Services capability to automatically create a PMR andsend associated collected documentation, ISA and the Lotus Mobile Connect

Chapter 1. Troubleshooting guide 3

http://www.ibm.com/software/support/help.html

http://www.ibm.com/software/support/help.html

plug-in must be present and running on the Connection Manager system.Additionally, this system must have access to the Internet to allow FTP deliveryof the associated logs.

To submit and track problems, see the Software support site.

Installation of ISA and the Lotus Mobile Connect plug-in

To install ISA:1. Sign in using your ID and password of your IBM account and obtain the ISA

utility software package from the IBM Support Assistant site.2. Follow the instructions in the Installation and Troubleshooting Guide, included

in the ISA package.

To install the Connection Manager plug-in:1. Obtain the Lotus Mobile Connect ISA plug-in tar file from the Lotus Mobile

Connect support site.2. Untar the ISA plug-in and place the resulting directory

(com.ibm.esupport.client.SSVLBW.v6) in the following location: <ISA Installroot>/plugins/

3. Start and access ISA using the instructions in the Installation andTroubleshooting Guide included in the ISA package.

Using IBM Support Assistant

You can use the ISA Search, Education, Support, and Services functions using IBMSupport Assistant.

Using ISA Search

After you click the Search tab, you can choose to search one or more sources ofinformation, including:v IBM software support documentsv IBM developerWorks®

v IBM newsgroups and forumsv Google web search

After you select one or more of the four choices, more detail might be displayedproviding additional selections.

Note: Although the search results in the left panel might reflect a large number ofhits, ISA limits displaying only the top 32 results.

Using ISA Education

You can explore IBM's web education web sites.

Using ISA Support

You can link to the Lotus Mobile Connect Support site, product home page, newsgroups, and forums.


http://www-947.ibm.com/support/entry/portal/Open_service_request/Software/Lotus/Lotus_Mobile_Connect

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=isa

http://www.ibm.com/support/entry/portal/Overview/Software/Lotus/Lotus_Mobile_Connect


Using ISA Service

This tab provides the capability to invoke an automated collection of systeminformation and subcomponent logs to provide to IBM Support staff for aid inproblem determination. An example scenario includes:1. Click the Service tab.2. In the Service panel, select System Information and/or IBM Lotus Mobile

Connect, then click Collect.

Note: The value you enter for the installation directory is not currently used bythe plug-in. Therefore, you can choose to enter any existing directory, forexample /tmp. After the collection completes, a summary is displayed.

3. In the left panel, click Log In (optionally Proceed to Manage Problem Reports),then enter your IBM ID, your password, your IBM customer number, and selectthe appropriate Country/Region of your support contract. Optionally, selectRemember my IBM ID, IBM Customer Number, and Country/Region.

4. Click Login.5. In the left panel, click Submit Problem Report. The following input fields are

on the Services tab when creating a PMR:v Select a productv Select a componentv Select a severity levelv Short descriptionv Recent changes to systemv Corrective actions already takenv Platform/Operating systemv Other relevant informationv Collector filev Attachment

Note: You do not have to take action to attach the file that was generated instep 2. "Attachment" here means any additional file you need to sendto IBM support.

6. Click Submit.7. PMRs opened using ISA can later be managed using the List Problem Reports

link.

Additional Notes®

1. If your Connection Manager system cannot access the Internet, you can still useISA to collect problem documentation. In this case, manually copy the collectoroutput file (for example, <ISA Install root>/workspace/.metadata/collector_050714_1514_57887.jar) to a system that has FTP access to the Internetand FTP the file as instructed by IBM support.

2. You can access ISA from a system other than the Connection Manager system,providing startisa.sh has been run on the Connection Manager system. This isuseful in cases where the Connection Manager system has no display screen.

3. If a technical limitation prevents you from running ISA on your ConnectionManager system, you can still download the ISA plug-in and run the supportscript from a command line. The script should be run from a directory on a filesystem with sufficient space to contain its output, preferably a file system thatdoes not impact Connection Manager performance (for example, /tmp/). The


script creates a directory named lmcsupport.out in the current workingdirectory. You can tar the contents of that directory to submit to IBM support.You will not have the other benefits of ISA, such as submitting PMRs, federatedsearches, etc. if you choose this option.

4. Documentation is gathered only for the Connection Manager. If any logs ortraces are gathered from the Mobility Client or Gatekeeper systems, these mustbe submitted to support separately.

5. ISA v3 is not yet supported. It is recommended that you extract the plug-in,run wecmsupport.sh manually and submit wecmsupport.out to IBMsupport.

Determining the version of code installedEach component of code that you installed has a service level version number.

You need to be able to identify the version number of the code that you installedon each component.

Obtaining service updatesYou can access the list of latest service updates or review all the information on theConnection Manager Support site.

The Support site URL is: http://www.ibm.com/support/docview.wss?&uid=swg27009682

You will link to a list of the most current versions. After you have chosen thedownload you want, you are prompted to register or verify your registration fordownloading IBM Lotus Mobile Connect files.

Note that for some downloads, you will also be asked to supply a downloadkey to access the files. This key is available for IBM licensed customers of theproduct. If you do not know the download key, you may obtain it by opening aProblem Management Record (PMR) to the IBM Support Center at (800) IBM-SERV.Outside the United States, visit http://www.ibm.com/planetwide. To open anelectronic PMR, visit http://www.ibm.com/software/support/probsub.html. Afteryou have passed the verification, you will be able to download the appropriatefiles.

There is a readme file or other installation instructions associated with eachdownload describing how to install and use it.

Determining the service level of the Connection Manager

To determine the service level of the Connection Manager on your system, issuethe following command: lswg -V |more

The output of this command will give you the software version and release as wellas the date which it was built.

Alternatively, use the Gatekeeper to display the version. Click the About tab fromthe Connection Manager properties notebook.


http://www-01.ibm.com/support/docview.wss?&uid=swg27009682

http://www-01.ibm.com/support/docview.wss?&uid=swg27009682

http://www.ibm.com/planetwide

http://www.ibm.com/software/support/probsub.html

Determining the service level of Mobility ClientsOn Linux®

In the Connections window, click Help -> About.

On Mac OS XWith the Mobility Client Connections window in the foreground click onthe Mobility Client menu bar item followed by About Mobility Client.

On Microsoft® desktop Windows®

Right-click the Mobility Client icon in the system tray, then clickAbout. Or click Help -> About from the Connections window in the IBMMobility Client folder.

On Microsoft Windows CETap the Windows logo, then tap Programs -> IBM Mobility Client. TapConnections, then tap Help -> About at the bottom of the screen.

On Nokia Communicator devicesTap the Menu button, then tap Tools -> About.

Determining the service level of Gatekeeper

Start the Gatekeeper, then click Help -> About, then click Version Number of theGatekeeper.

For more diagnostic information, open the file StdErr.txt which is located in the.wgcfg directory relative to the user's home directory.

Troubleshooting checklistsUse the following checklists to help you eliminate possible problem areas and findsolutions.

Some of the items in the checklists are questions that you should ask yourselfwhile others are items that lead you to another item or related information.

Mobility Client log in and password problemsFrequently asked questions about problems with passwords and logging in areincluded in this topic.

Browse these questions, then link to the answers below.1. I have lost my password. What do I do?2. I have forgotten my password. How can I get it reset?3. I have typed in my password correctly, so why am I not able to log in? The

system tells me it is the wrong password.4. I am seeing another password prompt besides the one I usually see. What do I

do?5. How do I change my password?6. I get a message that the Mobility Client timed out while logging into the

Connection Manager. What do I do?7. I tried several times to enter my password and I got a message that my account

has been locked. What do I do?


8. I see the Connect window on my screen but the progress indicators never turngreen and do not advance to 2 or 3 bars during the login. What's wrong?

9. Why can I not establish a connection when specifying a user ID with nationallanguage characters?

Answers to Mobility Client login and passwords problems include:1. I have lost my password. What do I do?

Connection Manager administrators use the Gatekeeper to access the Useraccount and perform a password reset for you. They will not be able to tell youwhat your password is because it will be hidden.

It would be wise to set up Gatekeeper login accounts for ConnectionManager administrators and to set up these accounts with access control liststhat limit what resources they are able to read and modify.

2. I have forgotten my password. How can I get it reset?Ask a Connection Manager administrator to perform a password reset.To perform a password reset using Gatekeeper:a. Click Find..., then type the User ID in the User ID field and click Find now.b. Right-click the user ID in the Find Resource Results window, then click

Properties.c. Click the Password tab, then type the password twice: once in the Enter the

new password field and again in the Confirm the new password field.d. Click OK or Apply.

When the password is typed in, it appears as asterisks (*).3. I have typed in my password correctly, so why am I not able to log in? The

system tells me it is the wrong password.The immediate response to help the user get logged in would be to perform apassword reset. However, this problem might indicate a problem with theConnection Manager, and it should be reported to the Connection Manageradministrator for further diagnosis and possible contact with the IBM SupportCenter.

4. I am seeing another password prompt besides the one I usually see. What do Ido?a. On the Attributes tab of the Mobility Client properties is a box labelled

Prompt for user ID and password. Verify whether this box is selected orcleared.

b. Your system can be configured to ask for secondary login authentication.Depending on how the Mobility Client is configured you might see asecondary login window.

c. There is a parameter in the configuration file called OneButtonConnect. Ifthe Prompt for user ID and password box is checked and the user ID andpassword have been successfully entered and saved once, this wouldprevent you from seeing the login panel.

5. How do I change my password?You must be logged in to the Connection Manager to be offered theopportunity to change your password.

Mac desktop machinesClick the Mobility Client antenna icon located on the menu bar, thenclick Change Password....


Nokia Communicator devicesPress the Menu key. Select Account → Password change.

Nokia E series devicesPress the button next to Option on the Mobility Client window. SelectAccount → Password change.

Linux desktop machinesRight-click the Mobility Client icon in the Connections window, thenclick Change Password....

Windows CE devicesTap the Mobility Client icon, then tap Change Password....

Windows desktop machinesRight-click the icon in the system tray, then click Change Password....

You are prompted to type in your present password followed by the newpassword twice. If the Connection Manager administrator has configuredConnection Manager to use a password profile, there might be special rules foryour password before it is accepted.

6. I get a message that the Mobility Client timed out while logging into theConnection Manager. What do I do?There are typically four situations:a. The Mobility Client has a login timer which, if you do not successfully log

in to the Connection Manager before the time has elapsed, will stop theconnection attempt and issue the message.

b. Login packets are not reaching or being processed by the ConnectionManager. There could be a number of reasons for this:v User device is in a low signal strength area.v Problem is in the bearer network, preventing the login packets from

reaching the Connection Manager.v Packets reach the Connection Manager, but are not processed. Perform

Connection Manager troubleshooting procedures if this reason issuspected.

v The Connection Manager is not returning the login responses to theMobility Client in a timely manner, and after the client's timer expires,the connection attempt is stopped.

c. On some devices and laptop computers, if the Ethernet cable is unplugged,it might be incorrectly reported to the Mobility Client that the adapter isavailable, with an IP address in the range of 169.254.0.0 - 169.254.255.255.The Mobility Client attempts to open, activate, and use this adapter forcommunication with the Connection Manager, and the login attempt willtime out. If this occurs, remove the adapter from the system and attempt tolog in again. For example, Intermec 700 series devices, when plugged intothe Intermec docking station with the Ethernet cable unplugged, canexperience this behavior.

d. If you are using secondary authentication with LDAP-bind to MicrosoftActive Directory, you can experience this condition if the system passwordon the Active Directory server is changed. You will receive this messageeven if the password on the Active Directory server is changed back to itsoriginal value, unless the Connection Manager is restarted.

7. I tried several times to enter my password and I got a message that my accounthas been locked. What do I do?


Contact the Connection Manager administrator who will have to examine youruser account in the Gatekeeper to clear the Locked setting on the Account tabof your user account. After this setting is cleared, you will be able to log inagain.

8. I see the Connect window on my screen but the progress indicators never turngreen and do not advance to 2 or 3 bars during the login. What's wrong?v If the progress indicator does not show 1 green progress bar, it means that

the Mobility Client was unable to initialize or communicate with themodem/network card. On Windows systems, the Mobility Client uses theMicrosoft TAPI (telephony application programming interface) tocommunicate with modems.

v If the progress indicator shows only 1 green bar, then the Mobility Client issuccessfully communicating with the modem/network card, but has not beenable to establish a connection with the physical network.

v If the progress indicator shows 2 green bars but not the third bar, then this isan indication that a physical network connection has been made, but theConnection Manager and the Mobility Client have been unable to negotiate alogin connection.On Windows desktop systems, right-click the Mobility Client icon in thesystem tray and click Status, then click the Statistics tab. The status windowshows the number of packets sent and received as well as the number ofbytes sent and received and the time of the current client connection. If thepackets sent count is not incrementing when you attempt to use anapplication, then the traffic is not leaving the Mobility Client.Another good test would be to determine if a ping command is successful tothe external IP address of the Connection Manager machine. If the pingcommand is not successful, then the Connection Manager cannot return anypackets to the Mobility Client.

9. Why can I not establish a connection when specifying a user ID with nationallanguage characters?On AIX®, Linux, and Solaris systems, make sure that UTF-8 support is installedon the Connection Manager for your operating system.

Using logs to troubleshoot login problemsUse Mobility Client trace and Connection Manager logs to troubleshoot MobilityClient login problems.

To troubleshoot login problems on Windows:1. On the Mobility Client system: Start -> Programs -> IBM Mobility Client ->

Connections -> Tools -> Configure Trace -> Level -> High -> OK. The tracefile is in C:\Documents and Settings\All Users\Documents\arttrace.txt. If youare using an older version of Mobility Client, it will be in the installationdirectory.

Note: The location of arttrace.txt has changed to C:\Users\Public\Documentsin Windows Vista.

2. In the Gatekeeper connected to the Connection Manager, either configure fulllogging for all users or restrict logging to a specific user. By default, this log fileis wg.log. This file is located in /var/adm/ on AIX, Linux, or Solaris. OnWindows, this file is located in the installation directory under logs\.

3. Attempt to log in from the Mobility Client.4. Review the Mobility Client trace and Connection Manager log.


In general, you will see four packets exchanged between the Mobility Client andConnection Manager to establish the secured and encrypted tunnel. Additionalpackets might be required if either the Mobility Client or Connection Managerdisagrees (negative acknowledgement or NACK) on a setting proposed by theother. These packets are:v Link control protocol (LCP) configuration request (Mobility Client to Connection

Manager)v LCP configuration acknowledge (ACK) (Connection Manager to Mobility Client)v LCP configuration request (Connection Manager to Mobility Client)v LCP configuration ACK (Mobility Client to Connection Manager)

The trace/log excerpts below provide additional details. These excerpts are takenfrom a Mobility Client connecting to a Connection Manager using systemauthentication. Additional authentication packets will follow if secondaryauthentication (LDAP-bind, RADIUS, or Certificate) is being used. In the case ofsecondary authentication, the tunnel is established but cannot be used to routetraffic until authentication completes.

In the arttrace.txt file, find the Mobility Client version. Connecting uplevel clientsto a backlevel Connection Manager is not supported. The Connection Managerversion can be found by running lswg -V.

This excerpt is from the trace file:Release build compiled on Sep 27 2005 - 20:30:41. (EB0.994)CORE Microsoft Windows XP Professional version 5.1 Service Pack 1(Build 2600). (EB0.994)

Find the Connection Manager IP address and connection port that the MobilityClient is trying to use. This address should be routable from the Mobility Clientand the port should be open on any firewalls between the Mobility Client andConnection Manager.UdpPort.cpp,41: CUdpPort::CUdpPort txPort=<PORT> txtAdrr=<IP_ADDRESS> rxPort=0(EB0.994)

Determine which IP address and port the client is bound to and listening on. Thisaddress should be routable from the Connection Manager and the port should beopen on any firewalls between the client and the Connection Manager.UdpPort.cpp,195: CUdpPort::connect setting bind address to <IP_ADDRESS> (EB0.8FC)UdpPort.cpp,206: CUdpPort::connect setting bind port to <PORT> (EB0.8FC)

Determine which physical interface the client is bound to, and use operatingsystem or device-specific tools to ensure there are no problems with this interface.ipdriver.cpp,1195: Message from core: eMsg_SetActiveInterface, <Name of interface>

The Mobility Client sets a host route to the Connection Manager. The routing tablecan be verified by running netstat -ar on Linux and Windows 32-bit operatingsystems.route.cpp,1222: Active routing table (EB0.8FC)

Destination Netmask Gateway Interface Metric(EB0.8FC)

Confirm that the appropriate host route to the Connection Manager exists in therouting table. Initialization of the logon sequence follows:ARTAPI API Message to core: eMsg_Logon (F18.810)


The outbound LCP configuration request (Mobility Client to Connection Manager)follows:

Note: If you see multiple outbound requests, but no inbound ACK/NACK, thereis probably a routing problem between the Mobility Client and ConnectionManager.

ALP LCP-Configure Request id=0x01, Outbound<mru 1472> <magic 0x8f662700> <pcomp> <acomp><encrypt AES(256)/CBC> <compress PKDCL> <VJ-red> <ip-addr 10.3.3.2><subnet mask 255.255.255.0> <version 732 IBM Corporation/MS Windows

32-bit (02dc0206)Microsoft Windows XP Professional version 5.1 Service Pack 1 (Build 2600)><Key requestnonce=bab27637bde9eda4edf94a2b080db0d1a8c87ae5c83521e383ba32cbf04bc440peer=415254434c49454e54><routes : none> <WLP_TCP> <userid <user ID>><dns addresses : > <WLP Session ID 0x7687><Network InformationSpeed=100000000 NetworkName=Intel (R) PRO/1000 MT Mobile Connection - NetFirewall Miniport Interface> <Build DataBuildData=5.1.1.1 20050927_2011> (EB0.994)

Hex dumps of LCP packets always begin with "C0 21".WRAPR HEX dump of 1472 bytes starting at address 009F7578: (EB0.994)

0000: C0 21 ...

Inbound LCP configuration ACK (Connection Manager to Mobility Client):ALP LCP-Configure Ack id=0x01, Inbound

<mru 1472> <magic 0x8f662700> <pcomp> <acomp><encrypt AES(256)/CBC> <compress PKDCL> <VJ-red> <ip-addr 10.3.3.2><subnet mask 255.255.255.0> <version 732 IBM Corporation/MS Windows

32-bit (02dc0206)Microsoft Windows XP Professional version 5.1 Service Pack 1(Build 2600)><routes : none> <WLP_TCP> <userid test><dns addresses : > <WLP Session ID 0x7687><Network InformationSpeed=100000000 NetworkName=Intel (R) PRO/1000 MT Mobile Connection - NetFirewall Miniport Interface> <Build DataBuildData=5.1.1.1 20050927_2011> (EB0.70C)

Inbound LCP configuration request (Connection Manager to Mobility Client).

Note the authentication type here - two party key distribution protocol (that is,system authentication). This authentication corresponds to the key exchange =password on the Security tab of the connection profile on the Mobility Client. Notealso that the routes that are pushed down to the Mobility Client tell the MobilityClient which IP addresses can be reached over the virtual interface and will beadded to the operating system routing table.ALP LCP-Configure Request id=0x01, Inbound

<magic 0x344d79b8> <pcomp> <acomp> <encrypt AES(256)/CBC><compress PKDCL> <auth TPKDP Plaintext/SHA><VJ-red> <ip-addr 10.3.3.1><subnet mask 255.255.255.0> <routes : DestAddress: 9.9.9.9 Mask: 255.255.255.255 DestAddress: 10.3.3.0 Mask: 255.255.255.0 > <version732 IBM Corporation/LINUX (02dc020f)> <WLP Session ID 0x7687><Transport Profile Compression=FALSE, Balance Fragments=TRUE,Header Reduction=FALSE, Packet Joining=FALSE, IP Forwarding=TRUE,TCP Opt=TRUE, Network MTU=1472, IP Stack MTU=1448, TCP Initial RTT=3,TCP ACK Delay=0, WLP Transmit Delay=100, LCP Echo Interval=20,TCP Opt TTL=10001, TCP Window=0, TCP Burst Rate=5,


TCP Max Retransmits=3><session key74a1fde3ea504d8ef11b606a01ce2a2a3f29b435b4b7e560b4dae6cd4e95a39a66244b59394ab0a5>< Key auth=844113a40b257464925803e206febfd85f48c5a2

key=993eb29d793bbdbb4fafe724fdc5bcb2a84291d32950b27b>(EB0.70C)

Outbound LCP configuration ACK (Mobility Client to Connection Manager):14:08:06 ALP LCP-Configure Ack id=0x01, Outbound<magic 0x344d79b8> <pcomp> <acomp> <encrypt AES(256)/CBC><compress PKDCL> <auth TPKDP Plaintext/SHA> <VJ-red> <ip-addr 10.3.3.1><subnet mask 255.255.255.0> <routes : DestAddress: 9.9.9.9 Mask: 255.255.255.255 Dest Address: 10.3.3.0Mask: 255.255.255.0 ><version 732 IBM Corporation/LINUX (02dc0206f) <WLP Session ID 0x7687><Transport Profile Compression=FALSE, Balance Fragments=TRUE,Header Reduction=FALSE, Packet Joining=FALSE, IP Forwarding=TRUE,TCP Opt=TRUE, Network MTU=1472, IP Stack MTU=1448, TCP Initial RTT=3,TCP ACK Delay=0, WLP Transmit Delay=100, LCP Echo Interval=20,TCP Opt TTL=10001, TCP Window=0, TCP Burst Rate=5, TCP Max Retransmits=3><session key74a1fde3ea504d8ef11b606a01ce2a2a3f29b435b4b7e560b4dae6cd4e95a39a66244b59394ab0a5><Authentication auth=16887f3f72b951ea56c30465cd6403bc0daa507e>(EB0.70C)

LCP handshaking is complete. This message shows the Connection Manager andMobility Client virtual (MNI) addresses, respectively:DATAMGR Now logged onto gateway 10.3.3.1 with local ip=10.3.3.2,subnet=255.255.255.0 (EB0.70C)

The secured and encrypted tunnel between the client and server is completelyinitialized after you see this message:DATAMGR Gratuitous ARP Received (EB0.F4C)

Routes are then added to the routing table based on the MNI definition:DATAMGR Adding route: Destination = 9.9.9.9 Mask = 255.255.255.255 (EB0.F4C)DATAMGR Adding route: Destination = 10.3.3.0 Mask = 255.255.255.0 (EB0.F4C)

From the wg.log file on the Connection Manager, as on the client, you can identifythe LCP packets by the first two bytes of the hex dump:UdpPort: received data from <client real IP address> port <client MNC port> (1472)on port <server MNC port>0000: c0 21 . . .

The LCP packet enters the queue for processing:WLP: queueing LCP packet from device <client real IP address>:<client MNC port>for processing

Creating the active session table entry for this Mobility Client:First occurence of device <client real IP address>:<client MNC port> in the system -creating an account for it

. . . database calls follow . . .

The DHCP subsystem assigns the client an IP address:DHCP_System::assign: (entry)DHCP_System::assign: (return), rc=0


Transport profile processing begins. See the Technote on Determining the transportprofile used in a session for details.WLP_Session::setTransportProfile: (entry)

The initial configuration request processed by the Connection Manager with "id 1"corresponds to "id=0x01" in the Mobility Client trace:[<user Id> (client real IP address>:<client MNC port>)] PPP-FSM: rconfreq - receivedCONFREQ with id1

The Connection Manager reviews each requested setting for the connection, eitherACKs or NACKs, and sends the response to the Mobility Client:[<user ID>(<client real IP address>:<client MNC port>)] PPP-LCP: lcp_reqci -received MRUPPP-LCP: lcp_reqci - received MRU-value 1472PPP-LCP: lcp_reqci - ACK...PPP-LCP: lcp_reqci - ACKPPP-LCP: lcp_reqci - returning CONFACK....WLP: delivering WLP data (256) to account<user ID>(client real IP address>:<client MNC port>)ip-lan0::deliver: (entry)ip-lan0: delivering packet (256)0000: c0 21 . . .

The Connection Manager sends its configuration request:PPP-LCP: fsm_sconfreq - sending Configure-Request, id 1

The Connection Manager then receives the configuration acknowledgement(CONFACK) from the Mobility Client:PPP-LCP: fsm_rconfack - received id 1

And indicates that the connection is complete (Mobility Client virtual IP/MNIaddress):Trap: ’AG: connection established’ (10.3.3.2/ip-lan)

The active session database is then updated and database calls follow.

Mobility Client problemsFrequently asked questions not related to login problems with Mobility Clients areincluded in this topic.

Browse these questions, then link to the answers below.1. What does a red X over the Mobility Client icon mean?2. What happens to my Mobility Client connection when I have no signal and I

am connected/logged in to the Connection Manager?3. What happens to my Mobility Client connection when I go out-of-range of my

network?4. I can log on using the Mobility Client, but my applications do not seem to

work. What's wrong?5. Why can't I connect to the Connection Manager?6. Why can't I connect to the network? (This could mean the physical network or

it could mean you cannot log in to the Connection Manager.)7. What does the message "The IBM Connection Manager has terminated your

connection" mean?


http://www.ibm.com/support/docview.wss?rs=804&context=SSZQDW&q1=transport+profile+wg.log&uid=swg21225278&loc=en_US&cs=utf-8&lang=en

http://www.ibm.com/support/docview.wss?rs=804&context=SSZQDW&q1=transport+profile+wg.log&uid=swg21225278&loc=en_US&cs=utf-8&lang=en

8. What does "The IBM Connection Manager has terminated your connectionbecause another user has logged in with the same userid" mean?

9. Why did I get a popup message indicating the configuration of the client doesnot match that of the Connection Manager?

10. I see a message that says the host is unreachable or unknown. What do I do?11. Mobility Client packets are being dropped. What do I do?

Answers to the problems with the Mobility Client include:1. What does a red X over the Mobility Client icon mean?

This symbol is the Network out-of-range indicator or the Networkcongestion indicator. This icon is shown on top of the Mobility Client icon inthe Microsoft Windows system tray. If you are using the client and havemoved into an area where the network cannot be reached or is congested, itcauses a delay in network traffic. When the situation clears, the red icon willdisappear.

2. What happens to my Mobility Client connection when I have no signal and Iam connected/logged in to the Connection Manager?The Mobility Client connection can be thought of as having two parts. Thefirst part is the physical network connection you have from your device toyour company network. The second part is the connection between theMobility Client and the Connection Manager. If you lost your signal to thephysical network, the virtual connection between the Mobility Client and theConnection Manager is maintained. If your device comes back into an area ofnetwork coverage again, then you can simply resume your activity.The way in which the Mobility Client is able to resume this activity is basedin part on the type of connection you have to your network. One situationwhere you would not be able to resume normal activity would be if youremained out-of-range for a long enough period of time where the ConnectionManager logs you off due to inactivity. This amount of time is configurable onthe Connection Manager and can also be turned off.

3. What happens to my Mobility Client connection when I go out-of-range of mynetwork?It depends on how your current connection to the Connection Manager isconfigured and what interfaces are defined, but when you roam out-of-rangeof your network, the Mobility Client receives an out-of-range event indication(device and operating system dependent) which causes the client to suspendthat interface for data transfer. If you are configured to have another networkinterface and it is in range, the Mobility Client would roam to that interface,make it active and use it. The Mobility Client waits for your network deviceto signal that it is back in range and the client resumes the connection. TheMobility Client lets the user arrange multiple network interfaces in a prioritylist that determines which networks are used first when they are in range. Fora more complete discussion of cross-network roaming, see Using the MobilityClient in the Mobility Client for Windows User's Guide.

4. I can log on using the Mobility Client, but my applications do not seem towork. What is wrong?a. If you are using a desktop Windows device, open a command prompt and

issue the ipconfig command. Make sure that the adapter has an IP addressassigned.The output can be interpreted as follows:


Connection-specific DNS SuffixThis will likely be your company domain.

IP AddressThe IP address supplied by the Connection Manager.

It is important that this address be valid and have come from theDHCP address pool defined in the Connection Manager. If thisaddress does not come from the DHCP pool or is not a validaddress, then this is the reason for the problem.

Subnet MaskThis is the subnet mask which should come from your ConnectionManager's DHCP pool configuration.

Default GatewayThis is the IP address of the router where the IP traffic is sent first.For the Mobility Client this field might be valid if it is blank.

b. Issue a ping command against the mobile network interface (MNI) addressof the Connection Manager. The MNI address is available from theConnection Manager administrator. If you are able to ping the MNI, thenyou have shown that a good connection exists between the device and theConnection Manager.

c. Another visual indication to see whether IP packets are flowing is to usethe Mobility Client status information. On Windows desktop systems,right-click the Mobility Client icon in the system tray and click Status, thenclick the Statistics tab. The status window shows the number of packetssent and received, as well as the number of bytes sent and received andthe time of the current client connection. If the packets-sent count is notincreasing when you attempt to use an application, then the traffic is notleaving the Mobility Client. Check the Mobility Client configuration forerrors.

d. If the packets-sent count is increasing but the received count is notincreasing, then the packets might be reaching the Connection Managerbut not returning. Perform Connection Manager debug procedures.

5. Why can't I connect to the Connection Manager?a. How many green bars are displayed on the Connect window during the

login attempt? Use this window to determine where the problem might be.If it is possible, determine the signal strength of the modem. If the modemsignal strength is low, then this could be a reason why you are unable tologin.v A blue bar means that the Mobility Client has not successfully contacted

that level yetv 1 green bar = Connected to modem/network cardv 2 green bars = Connected to the networkv 3 green bars = Connected to the Connection ManagerSome Microsoft Windows Updates rename the network adapter. When thenetwork adapter is renamed, Mobility Client cannot connect. In thesecases, delete the connection and recreate a new connection.

b. Is the IP address of the Connection Manager correct in the Mobility Clientconnection properties?To verify, from the Mobility Client Connections window, right-click theconnection you are using. Click Properties and click the Networks tab,then click the Properties button.


On the Ports tab, check the port numbers to make sure they are correct.8889 is the default value for UDP ports. Check with the ConnectionManager administrator to make sure this is accurate.

6. Why can't I connect to the network? (This could mean the physical network orit could mean you cannot log in to the Connection Manager.)You need to determine if you are having connectivity problems with thebearer network or if the connectivity problem is with the Connection Manager.Look at the Mobility Client Connect window when attempting to log in. Thegreen bars assist you in making the determination if you are accessing thenetwork or not. If the Connect window has at least 2 green bars, then you arereaching your network but are unable to log in to the Connection Manager. Ifthis is the case, use procedures for troubleshooting login problems to theConnection Manager.

7. What does the message "The Connection Manager has terminated yourconnection" mean?This message can be displayed for several reasons:v The Connection Manager has terminated your connection. Another Mobility

Client has logged on with the same user ID.v The Connection Manager has terminated your session because it has been

idle for too long.v Your connection has been terminated by the Connection Manager

administrator. The administrator has logged you off the ConnectionManager.

8. What does "The Connection Manager has terminated your connection becauseanother user has logged in with the same user ID" mean?The Connection Manager allows this situation to occur. If you are alreadylogged in and you want to log in using another device or from a differentlocation but did not log off the first device, the Connection Manager lets youlog in using the second device.If another user also used the same user ID and password that you used to login, that person would be allowed to access the network and your originalconnection would be severed and the message displayed.

9. Why did I get a message indicating the configuration of the client does notmatch that of the Connection Manager?The messages reads: The Connection Manager has terminated yourconnection. Please check your client options like compression for a possiblemismatch with the Connection Manager options.The connection profile on the Connection Manager sets options like minimumallowable encryption levels and compression.This error is a general indication that any of these conditions are mismatchedbetween the Connection Manager connection profile and the Mobility Clientconnection properties:v Insufficient encryption strength set on the Mobility Clientv Compression is not selected on Mobility Client, but is set to mandatory on

the Connection Managerv Different encryption key distribution settings

Check the Mobility Client properties and the properties of the connectionprofile used for the MNC through which the Mobility Client connects to makesure the options match.

10. I see a message that says the host is unreachable or unknown. What do I do?


On Windows XP, Windows 2000 and Windows Vista, there are DNS or hostname resolution issues when you cannot make an IP connection to a remotehost using the host name.Set the primary DNS on your system, then make sure advanced TCP/IPsettings are accurate.a. Click Start –> Settings –> Control Panel, then double-click System.b. On the System Properties panel, click Network Identification, then click

Properties.c. On the Identification Changes panel, click More. Enter the Primary DNS

suffix.d. Make sure the Change primary DNS suffix when domain membership

changes box is cleared.e. Click OK. If prompted to, restart your system.f. Open the Network Connections folder (on Windows 2000, click Start –>

Settings –> Network Dial and Dial-up Connections), then right-click theLAN connection you are using and click Properties.

g. Click Internet Protocol (TCP/IP), click Properties, then click Advanced.h. Click the DNS tab. Select Append primary and connection specific DNS

suffixes.i. Select Append parent suffixes of the primary DNS suffix.j. Enter the DNS suffix in the DNS suffix for this connection field.k. Click OK. If these steps do not resolve the problem, check how to Tweak

DNS Errors Caching in Windows 2000 / XP on the speed guide.net website.

11. Mobility Client packets are being dropped. What do I do?Use the account log file (wg.acct) to look for “resyncs” in the file to showwhere a packet was dropped. This file is located in /var/adm/ on AIX, Linux,or Solaris. On Windows, this file is located in the installation directory underlogs\. Although the account file is useful for troubleshooting, it is not a validsource of information for contesting billing. For example, it is not a reliableproof that you had only 250 packets transferred despite your bill for 450packets.

Connection Manager problemsFrequently asked questions about problems with the Connection Manager areincluded in this topic.

Browse these questions, then link to the answers below.1. How do I make sure the corequisite software is installed and running

properly?2. What are the file names of the log files and where are they located?3. How do I reset the log files?4. Can I set the maximum size of the log files?5. What should I check when Connection Manager logging stops?6. How do I set the trace for an individual Mobility Client?7. How can I validate that traffic is routable between the Connection Manager

and the Mobility Client?8. How can I validate that IP traffic is routable between the enterprise

application server and the Mobility Client?


http://www.speedguide.net/read_articles.php?id=158

http://www.speedguide.net/read_articles.php?id=158

9. What should I check when the Connection Manager fails to establish a virtualcircuit (X.25)?

10. What should I check when the initial configuration of the access manager failsor is cancelled?

11. What should I check when the Connection Manager does not start?12. What should I do when the Connection Manager startup seems to be slow?13. On AIX systems, what do I do when all or some groups of mobile devices fail

to connect to the Connection Manager?14. I cannot establish a connection from the Mobility Client. What should I check?15. The wg_acct command stops running after an extended period of time. What

do I do?16. On Windows systems after disabling the Connection Manager network

connection, the Connection Manager does not operate. What do I do?

Answers to the problems with the Connection Manager include:1. How do I make sure the corequisite software is installed and running

properly?a. Issue the netstat command: netstat -an |grep <port #>

If you want to issue the command for a TCP-based server, then the portmust be in LISTEN state. If the server is UDP-based then, the port will beBOUND.By default, the directory service server (DSS or LDAP) listens on port 389.DB2®, if it is on a different machine than Connection Manager, listens onport 50000.

Note: On Windows systems, issue the netstat -an command and thenreview its output to determine the state of the TCP- and UDP-basedports.

b. Issue the telnet command: Telnet <remote host> <remote port>This will make a TCP-based connection to the remote application. If all iswell, you will see nothing in the display. You might see a message that the"connection is established."The Telnet application might or might not be allowed into a ConnectionManager. Check with the administrator of the Connection Managermachine to see if telnet is allowed by your Connection Manager machine.

c. Check the process list on the remote host for running applications (DB2,slapd for LDAP):1) For the Connection Manager: ps -ef |grep wgated and/or ps -ef |grep

wgattachd

2) For the DSS (LDAP): ps -ef |grep slapd

3) For the DB2 database: ps -ef |grep db2

Note: On Windows systems, press Ctrl+Alt+Delete and then select TaskManager to review the Processes tab.

d. Use a software-based network analyzer like Ethereal (www.ethereal.com)to observe the packet flows between Connection Manager and itsenvironment.

2. What are the file names of the log files and where are they located?Connection Manager log file locations and file names are configurable usingthe Gatekeeper.


The default file names are:v wg.log - Message logv wg.trace - Individual users' trace logv wgmgrd.log - Access manager trace logv wg.acct - Accounting and billing log (when the Connection Manager is not

configured to use relational database for storing accounting records)

These files are located in /var/adm/ on AIX, Linux, or Solaris. On Windows,these files are located in the installation directory under logs\.

3. How do I reset the log files?The message, trace, or accounting log files can be reset using the Gatekeeper.On the Resources tab, right-click the Connection Manager resource, then clickReset Log Files. Choose to reset All files or just specific files.Resetting log files will date/time stamp the current file in the format ofwg.<logfilename>.$yy.mm.dd.hh.mm.ss.Message, accounting, and trace log files can also be reset from the commandline using the command:

chwg -r log to reset the message log filechwg -r acct to reset the accounting and billing log filechwg -r trace to reset the trace log filechwg -r all to reset all of the files

If you will be collecting a new log for IBM Support, perform a reset prior torecreating any problem.

4. Can I set the maximum size of the log files?You can only set the maximum size of the message log file (wg.log). Click theLogging tab on a Connection Manager, then enter the maximum size of themessage log file in MB. When the maximum file size is reached, the file isrenamed in the form wg.log.bak.$date.The logging subsystem checks for available space and automatically reducesthe logging level as the file system nears capacity. An SNMP trap is fired(120284 WARNING for the accounting log) as the log level is automaticallyreduced.Store log and trace files in their own file system. These files are located in/var/adm/ on AIX, Linux, or Solaris. On Windows, these files are located inthe installation directory under logs\. Use the operating systemdocumentation to help you carry this task out.

5. What should I check when Connection Manager logging stops?Check the size of the log files. Some operating systems have limitations on filesizes. If logging stops, reset the log files.

6. How do I set the trace for an individual Mobility Client?In some cases it is necessary to have a trace log for a specific Mobility Client.Use Gatekeeper to activate the trace. Edit the User properties, click theAccount tab, then click the Start trace box.To read the resulting wg.trace file, use the wg_trc command. This command isfully documented in the IBM Lotus Mobile Connect Command Reference..

7. How can I validate that traffic is routable between the Connection Managerand the Mobility Client?If the Mobility Client times out while trying to log on to the ConnectionManager, validate that User Datagram Protocol (UDP) traffic is routablebetween the two:


a. Disconnect the Mobility Client from the Connection Manager and stop theConnection Manager.

b. Ping the Connection Manager after establishing a physical networkconnection. Since many firewalls, including desktop firewalls, filter pingand UDP, use wcecho to verify that the UDP path between the MobilityClient and Connection Manager is not obstructed by a firewall rule:1) Start the UNIX® echo server for UDP, set it to your MNC's port

number (8889 by default) and verify that the echod daemon is runningby issuing the command: netstat -an | grep 8889

Note: For Windows systems, you must first download the Utilities forSubsystem for UNIX-based Applications package before you caninstall the echo server.

2) Establish the physical network connection on the client machine.3) Execute wcecho.exe, found in your Mobility Client install directory,

and target the echod daemon running on the Connection Managermachine: wcecho -c 2 -i 1000 -p For example,C:\PROGRA~1\IBM\MOBILI~1>wcecho -c 2 -i 1000 -p 8889 hcaix123WCECHO hcaix123: (9.42.96.140) 64 data bytes via UDP port 888964 bytes from 9.42.96.140: seq=1 time=0 ms64 bytes from 9.42.96.140: seq=2 time=0 ms-----hcaix123 WCECHO statistics-----2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max = 0/0/0 msOnce the wcecho test is successful, then stop the echod server andrestart the Connection Manager and verify the MNC is runningOn the Connection manager machine issue netstat -an |grep |more[hcaix123]:root:/>netstat -an |grep 8889 |moreudp4 0 0 *.8889 *.*[hcaix123]:root:/>

8. How can I validate that IP traffic is routable between an enterprise applicationserver and the Mobility Client?If an application times out while trying to execute its transaction, validate thatIP traffic is routable between the enterprise application server and theMobility Client.a. First determine if name resolution is required and, if so, is it working:

1) Ping the destination host by IP address.2) Ping the destination host by host name and see if an IP address is

returned.If the ping by IP address works but ping by host name does not, thenadd your enterprise domain name system (DNS) to the mobile networkinterface (MNI) properties on the Connection Manager and reconnectthe Mobility Client.

b. Does the Mobility Client's IP stack have a route table entry to direct thetraffic into the Connection Manager system?On Windows systems, use the commands route print or netstat -nr and,on Windows CE, use the program artroute.exe which is found in theMobility Client's install directory. The route table needs entries to coverDNS and the destination application server.

c. Does the destination server have a return route into the MNI on theConnection Manager? For example, if your destination application serverhas an IP address of 10.120.15.20 and the Connection Manager's MNIaddress is 192.168.10.1, can you issue a ping from the destination server to


http://www.microsoft.com/downloads/details.aspx?FamilyId=8B4987E6-D960-49A2-BF52-D3FBD654254C&displaylang=en


the MNI address and get a positive response back? If not, then thenetwork routers need to be updated to be able to route IP traffic to theMNI address.If you are not using network address translation (NAT), then the enterpriserouting infrastructure must be aware of your mobile network definition.Add routes where appropriate. The syntax varies depending uponplatform but is generally: route add netmask gateway

d. If you are using Connection Manager network address translator (NAT) onyour MNIs, did you publish the NAT address using the operating system'sarp command? For example,root@gw79:/#>arp -awxp1e99.raleigh.ibm.com (9.42.96.99) at 0:6:29:6c:9d:e2 [ethernet]permanent published stored in bucket 6

A common mistake is not using the correct media access control (MAC)address. The MAC address must be that of the network interface card(NIC) connected to the destination network. Check firewall filters to ensurethat the firewalls are not filtering out the application packets.

9. What should I check when the Connection Manager fails to establish a virtualcircuit (X.25)?v Make sure the IP address and subnet mask are correct for the MNI.v Ensure good connectivity to the wired LAN side: If the mobile access

service must resolve host names for mobile devices and Mobility Clients, itrelies on a domain name server (DNS). Applications can timeout whilewaiting for the DNS query results. The mobile device or Mobility Clientmight reach the premature conclusion that the connection cannot be made.In fact, it is taking too long to look up the host name to determine who theuser wanted to contact. To avoid this problem, establish a host table on theMobility Client; to avoid confusion with host names, use IP addresses.

v Check to see if the network provider is experiencing problems.10. What should I check when the initial configuration of the access manager fails

or is cancelled?Check all directory service parameters. On the Connection Manager system,review the wgated.conf file. On AIX or Solaris systems, this file is in/opt/IBM/ConnectionManager. On Windows systems, this file is in \ProgramFiles\IBM\Connection Manager. On Linux systems, the file is in/opt/ibm/ConnectionManager/wgated.conf. Delete this file then restart theGatekeeper to configure the access manager again.

11. What should I check when the Connection Manager does not start?Check all directory service parameters. The Connection Manager's parametersdefault to those of the access manager. The currently logged in administrator'sID and password might be different from those for the access manager.

12. What should I do when the Connection Manager startup seems to be slow?Activate all message log levels, then monitor messages in the wg.log file todetermine if you have an X.25 problem. Your calls could be timing out or itcould be a domain name system (DNS) problem (taking too long to resolvethe host name, or experiencing a lookup failure).

13. On AIX systems, what do I do when all or some groups of mobile devices failto connect to the Connection Manager?Start by checking underlying devices: X.25, TCP, TTY, or ISDN:v Use x25status, lsdev, and x25mon to verify X.25 connectionsv Use netstat -a to verify TCP connections


v For X.25-based RDNs, verify incoming traffic at the X.25 level, usingx25status and x25mon

v Monitor modem activity if you are using TTY- and ISDN-based RDNs

Activate the message log and review wg.log for non-zero numeric returncodes. These files are located in /var/adm/ on AIX, Linux, or Solaris. OnWindows, these files are located in the installation directory under logs\.

14. I cannot establish a connection from the Mobility Client. What should Icheck?Mobility Client operation depends on the network provider. Check:v Is there a validation problem? Are the user and/or mobile device defined to

the Gatekeeper? Is the password correct?v Does the Mobility Client's IP address match one on an MNI subnet? If

using DHCP, is there an address available?v Use the tail command to display the account log file and ensure that data is

arriving from the Mobility Client.v Ensure that the mobile access services has established communications with

the network provider.v Check the status display on the Mobility Client to see if it is receiving any

packets. If so, there should be a message indicating a problem. If not, theremight be a configuration error.

v If the mobile device uses a connection that displays signal strength andbattery strength, check these values.

15. The wg_acct command stops running after an extended period of time. Whatdo I do?When the Connection Manager is configured to use a database for accountingand billing data, and the wg_acct command is used with the -f flag to displaythe accounting data, the wg_acct command can stop running. This problemdoes not affect the integrity of the accounting and billing data nor does itaffect the running of Connection Manager or access manager processes. Noaction is required after the problem occurs and the wg_acct command can berestarted. This problem has been observed only on AIX 5.1.

16. On Windows systems after disabling the Connection Manager networkconnection, the Connection Manager does not operate. What do I do?Enable the network connection, then restart the Connection Manager. Toenable the network connection, click Start → Settings → Network Connections.Right-click the Connection manager, then click Enable. Then, restart theConnection Manager.

Persistent data storage problemsFrequently asked questions about problems with persistent data storage areincluded in this topic.

Browse these questions, then link to the answers below.1. When does Connection Manager communicate with the relational database?2. How do I troubleshoot DB2 problems?3. What do I do with error messages or read and write traps that indicate there is

not enough space to create the DB2 database or that the database directory isnot found?

4. What do I do when error message code -4400 is seen in wgmgrd.log file?


5. What do I do when this error message is seen in wg.log [IBM][CLI Driver]SQL30081N A communic ation error has been detected. Communicationprotocol being used: "TCP/IP". Communication API being used: "SOCKETS".Location where the error was detected: " 127.0.0.1". Communicationfunction detecting the error: "connect". Protocol sp ecific errorcode(s): "79", "*", "*". SQLSTATE=08001

6. What do I do with the DB2 error message "The transaction log for database isfull"?

7. ActiveSession database errors exist in wg.log, even though the ActiveSessiondatabase is running and accessible to other applications. What do I do?

8. When does Connection Manager communicate with the directory service(LDAP)?

9. How do I troubleshoot DSS (LDAP) problems?

Answers to the problems with the persistent data storage include:1. When does Connection Manager communicate with the relational database?

Connection Manager communicates with the relational database when:v The wgated process initializes.v A user's session changes state.v Connection Manager configuration changes are made.v User records are changed or added.v The wgated process terminates.

2. How do I troubleshoot DB2 problems?a. To determine the level of DB2, use the command:

v AIX: su - ldapdb2 -c "db2level"

v Red Hat Linux: rpm -qa |grep db2

v Windows: start the DB2 Command Line Processor to see the versioninformation for DB2.

b. If the DB2 server is a remote installation, ping the DB2 server fromConnection Manager machine.

c. Review <DB2 server>/etc/services to confirm server instance ports. Forexample, db2cwgdb or db2iwgdb.

d. See the Technote on DB2 connection problems on Connection Managersystems.

e. On the DB2 server machine, issue the command su - <server instance ID>and invoke the DB2 shell: stop/start db2. Then, list the database directoryand list the node directory.

3. What do I do with error messages or read and write traps that indicate there isnot enough space to create the DB2 database or that the database directory isnot found?Check that the home directory has at least 50 MB available space. The homedirectory is the base directory plus the instance ID. For example, if you areusing the instance ID of wgdb and the base directory is /home, the homedirectory is /home/wgdb.

4. What do I do when error message code -4400 is seen in wgmgrd.log file?The DB2 configuration script requires that the root user have the necessarygroup memberships to match the groups of the DB2 instance ID. Make surethat the root ID is a member of the instance ID's primary group.

5. What do I do when this error message is seen in wg.log [IBM][CLI Driver]SQL30081N A communic ation error has been detected. Communication


http://www.ibm.com/support/docview.wss?rs=804&context=SSZQDW&q1=DB2&uid=swg21082996&loc=en_US&cs=utf-8&lang=en

http://www.ibm.com/support/docview.wss?rs=804&context=SSZQDW&q1=DB2&uid=swg21082996&loc=en_US&cs=utf-8&lang=en

protocol being used: "TCP/IP". Communication API being used: "SOCKETS".Location where the error was detected: " 127.0.0.1". Communicationfunction detecting the error: "connect". Protocol sp ecific errorcode(s): "79", "*", "*". SQLSTATE=08001?Stop the Connection Manager and wait for the DB2 instance to start completely.To verify that the DB2 instance has automatically started after a reboot, use thecommand netstat -na to display that the instance connection port is listening.Then, start the Connection Manager.

6. What do I do with the DB2 error message "The transaction log for database isfull"?Check that the file system has enough available space. If sufficient space isavailable, increase the log file size. Use the command db2 update db cfg fordatabase database_name using logfilsiz log_file_size, where database_nameis the name of the database and log_file_size is the size of the log file that islarger than what you currently have defined.

7. ActiveSession database errors exist in wg.log, even though the ActiveSessiondatabase is running and accessible to other applications. What do I do?In Gatekeeper, stop the Connection Manager, then open the ConnectionManager properties. Click the Session database tab and do the following:a. Add an extra character to both the Database administrative ID and

Password of database administrative ID fields.b. Click Apply.c. Verify that the values for wpsstoredbadminid and wpsstoredbadminpw are

now present in wgated.conf. (Note: the value for wpsstoredbadminpw isencrypted.)

d. Go back to Gatekeeper and remove the extra character that you added toboth fields in step 1.

e. Click Apply.f. Take note of the value for Database Name in the Session database

properties.g. Edit wgated.conf and add a line (replacing db_name_from_sess_db_prop

with the value from step 6): wpsstoredbname =db_name_from_sess_db_prop

h. Verify that all three values are there. Save and close wgated.conf.i. Start Connection Manager.

8. When does Connection Manager communicate with the directory service server(DSS) using the lightweight directory access protocol (LDAP)?Connection Manager communicates with the directory service when:v The wgated process initializes.v A user's session changes state.v Connection Manager configuration changes are made.v User records are changed or added.v The wgated process terminates.

9. How do I troubleshoot LDAP problems?a. Ping the directory service server from Connection Managerb. Point an HTTP browser to <ldap host>/ldap and try to login with the DSS

user ID and password used in the access manager configuration.c. Review the <LDAP server>/etc/slapd32.conf file to confirm the values for

server port, ibm-sladpPort and ibm-slapdErrorLog.


d. Review the ibm-slapdErrorLog file. By default, it is located in/tmp/slapd.errors. Connect using an LDAP administrative browser likeDMT (Directory Management Tool) or Softerra.

e. To verify that LDAP is running correctly, use a native LDAP command,such as ldapsearch. Enter ldapsearch -? to return the command syntax. Asample command would look like: ldapsearch -h <ldap server> -D <admindn> -w <admin pwd> -b <suffix> '(objectclass=*)'

Application problemsFrequently asked questions about problems with applications are included in thistopic.

Browse these questions, then link to the answers below.1. Applications do not respond and there is packet loss. What do I do?2. Application connections, such as Lotus Sametime®, seem to disconnect

unexpectedly. What do I do?

Answers to the problems with applications include:1. Applications do not respond and there is packet loss. What do I do?

You might need to tune your network for performance. Make sure that settingsbetween the Connection Manager and the Mobility Client match and areoptimized for your network. For example, match MNC settings such asnetwork MTU and TCP retransmit time-to-live and connection profile settingssuch as compression algorithm, protocol header reduction, TCP protocoloptimization, and fragmentation. See Tuning Connection Manager for moredetail.

2. Application connections, such as Lotus Sametime, seem to disconnectunexpectedly. What do I do?Try using the Keepalive Interval with an initial value of 10 seconds for a 1xRTTor GPRS network. For other connections, such as WLAN or broadband, trysetting the value to 15 seconds.This value will vary up or down depending on the network address translation(NAT) and firewall characteristics of your ISP or network service provider. Thesetting for your network requires trial and error to determine the correct value.Inbound voice call handling on some devices can be affected by active dataconnections such as that used by the Mobility Client. Connections which aredefined to use the network interface "Automatically Connect" will usually allowinbound voice calls to occur provided data is not being sent at the time the callis received. Be aware that the Keepalive setting, which causes the client to sendKeepalive packets at configured intervals, can prevent the phone from receivinginbound voice calls. The probability that the Keepalive packets will interferewith inbound voice calls increases as the configured Keepalive intervaldecreases.

Gatekeeper problemsFrequently asked questions about problems with Gatekeeper are included in thistopic.

Browse these questions, then link to the answers below.1. When logged in as default Connection Manager administrator (gkadmin), there

is no top-level OU in the Resources tab. What do I do?


http://www-106.ibm.com/developerworks/websphere/library/techarticles/0405_jones/0405_jones.html

2. When logged in to the Gatekeeper, nothing displays in the left pane on theResources tab. What do I do?

3. An administrator using an ACL profile cannot view certain resources orproperty fields are empty. What do I do?

4. Attributes of the Connection Manager or its subordinate resources aredisplayed incorrectly when Connection Managers are defined for differentoperating systems. What do I do?

5. Someone has modified the properties of the default administrator, gkadmin,and I can no longer gain access to the Connection Manager through theGatekeeper. What do I do?

Answers to the problems with Gatekeeper include:1. When logged in as default Connection Manager administrator (gkadmin), there

is no top-level OU in the Resources tab. What do I do?Check:v That the directory service server is running.v The base distinguished name (base dn) on the Properties window of the

access manager resource. It must match the suffix you specified when youconfigured your directory service server.

2. When logged in to the Gatekeeper, nothing displays in the left pane on theResources tab. What do I do?Check:v The Refresh button. It is not active until the resources are completely shown

in the left pane.v To see if the administrator ID does not have access to any resources. Click

File –> Access Control Lists to display the access lists for the currentlylogged in administrator ID. Add access control lists to the ACL profile forresources that you want this administrator ID to control.

3. An administrator using an ACL profile cannot view certain resources orproperty fields are empty. What do I do?Make sure you have an access control list profile that provides an ACL to allthe resources you need. For example, make sure the ACL profile has an ACLfor Password policies, if you want to be able to set one for a user.

4. Attributes of the Connection Manager or its subordinate resources are notdisplayed correctly when Connection Managers are defined for differentoperating systems. What do I do?If Connection Manager objects which run on different operating systems aredefined in the same datastore, they are all displayed in the left pane. If you login to any of the access managers in the left pane, you can see and access all theConnection Managers there. Connection Manager objects and their subordinateresources might display incorrectly if such objects are defined for differentoperating systems in the same datastore. If you attempt to edit ConnectionManagers or their subordinate resources other than those for the one you arelogged into, some of their attributes might not display correctly if they run on adifferent operating system from the access manager you are logged into. Forthis reason, you should not modify the properties of cross-platform resources.

5. Someone has modified the properties of the default administrator, gkadmin,and I cannot access the Connection Manager through the Gatekeeper. What doI do?Use the command line interface to modify properties of the administratoraccount to reestablish login rights. For example, to display all properties of thegkadmin account, from a command prompt on the Windows Server enter:


lswg -l cn=gkadmin -X

If the command shows that the account has been locked, as<locked>1</locked>, unlock the account by entering:chwg -l cn=gkadmin -a locked=0

Determining the status of resourcesTo check the actual status of the network interface, use the IP netstat andifconfig commands.

The netstat command provides the names of all network interfaces together withaddressing and statistical information. The ifconfig command shows the currentparameters of a specified network interface.1. The netstat command provides the names of all network interfaces together

with addressing and statistical information. To list all network interfaces, fromthe Connection Manager command line, enter:netstat -i

An example on an AIX system is shown in Figure 1.An example on a Linux or Solaris system is shown in Figure 2.

In Figure 1, network interface mn1 uses IP address 193.99.234.65 and amaximum packet size of 4096. On this interface 20 IP packets have beenreceived and 21 sent, with no I/O errors. The asterisk character (*) followingthe network name indicates that the network is inactive. In its current inactivestate, the mn1 interface cannot send and receive packets.

2. To show the current parameters of a specified network interface, from theConnection Manager command line on UNIX-based systems, enter:ifconfig mn0

On Windows systems, enter:ipconfig mn0

Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Colllo0 1536 <Link> 23339 0 23339 0 0lo0 1536 127 loopback 23339 0 23339 0 0mn0 4096 <Link> 7146 0 8497 0 0mn0 4096 8.54.56 8.54.56.2 7146 0 8497 0 0mn1* 4096 <Link> 20 0 21 0 0mn1* 4096 193.99.234. 193.99.234.65 20 0 21 0 0mn2* 4096 <Link> 8 0 8 0 0mn2* 4096 193.99.234. 193.99.234.129 8 0 8 0 0mn3* 4096 <Link> 4 0 4 0 0mn3* 4096 193.99.234. 193.99.234.193 4 0 4 0 0

Figure 1. Sample output of netstat command showing status of the network interface - AIX

Figure 2. Sample output of netstat command showing status of the network interface - Linux or Solaris


An example on an AIX system is shown in Figure 3.An example on a Linux or Solaris system is shown in Figure 4.

In Figure 3, network interface mn1 is using network mask 0xffffffc0. The “0x”prefix indicates hexadecimal format; the equivalent dotted-decimal notation is255.255.255.192.

Verifying Connection Manager processesLearn the names of the processes that Connection Manager starts and how to listthem for your operating system.

When you start the Connection Manager on AIX, Linux, or Solaris systems, there isone instance of the wgated process and one instance of the wgattachd process thatare initiated. The wgated process performs the functions of the ConnectionManager, such as monitoring the status of network devices, transmitting data, andupdating log files. The wgattachd process monitors the wgated process and restartsit if it fails.

When you start the Connection Manager on Windows systems, the wgattachddaemon is installed as a Windows service. Click Control Panel -> AdministrativeTools -> Services to verify this.

To list the running Connection Manager processes, issue this command onUNIX-based systems:ps -e | grep wga

To list the running Connection Manager processes on Windows systems, pressCtrl+Alt+Delete, select Task Manager, and view the Processes tab.

You should see one instance of the wgated process and one of the wgattachdprocess on AIX, Linux, Windows, and Solaris systems. If you do not see theseinstances, shut down then restart the Connection Manager.

Verifying the portmap daemon is enabled for automatic start-up on AIXsystems

Verifying the portmap daemon is enabled for automatic start-up on AIX systems.

mn0: flags=60<NOTRAILERS,RUNNING>inet 193.99.234.65 netmask 0xffffffc0

Figure 3. Sample output of ifconfig command - AIX

Figure 4. Sample output of ifconfig command - Linux or Solaris


To verify that the portmap daemon will start automatically when the system unit isstarted:1. Log on as root and edit the /etc/rc.tcpip file.2. Locate the portmap entry, which will contain start /usr/sbin/portmap.3. Make sure that the “#” does not start the beginning of the portmap entry. (The

# in column 1 indicates that the line is only a comment and is not to beexecuted.)

4. Save and close the file.

You can also start portmap from the command line. Note that if the system unit isrestarted, you must add the portmap entry to /etc/rc.tcpip for portmap to startautomatically.

To start portmap from a command line:# startsrc -s portmap

Port number informationThis topic lists the port numbers required for use by the Connection Manager andinstructions about changing them.

The Connection Manager and access manager are installed on the same system andrequire a port for communication with the Gatekeeper.

9555 Communication between Gatekeeper and access manager

9559 Communication between Gatekeeper and access manager using SSL

To change these port numbers, first update the /etc/services file, then:

AIX Refresh the inetd daemon by entering refresh -s inetd.

Linux (using xinetd daemon)Refresh the inetd daemon by typing kill -SIGUSR2 `ps -e | grep xinetd| awk ’{print $1}’`.

Linux (using inetd daemon) or SolarisRefresh the inetd daemon by typing kill -HUP `ps -e | grep inetd | awk’{print $1}’`.

WindowsNot available.

There are other default ports on which the Connection Manager listens. To changethese port numbers, use the Gatekeeper to edit the Connection Manager, mobileaccess services, or messaging services properties.

These ports include:

Table 1. Ports on which the Connection Manager listens

Port numberand protocol

Component using Direction Comment

80 - TCP v HTTP access services

v Mobility clients usingclient-less model)

v Mobile accessservices

Internet side ofConnection Managerfrom HTTP clients andMobility clients.Intranet side to HTTPproxy

Depends on location ofHTTP proxy, web, orapplication server


Table 1. Ports on which the Connection Manager listens (continued)



443 - TCP v HTTP access services

v Mobility clients(client-less model)

v Mobile accessservices

Internet side ofConnection Managerfrom HTTP clients andMobility clients.Intranet side to HTTPproxy

Depends on location ofHTTP proxy, web, orapplication server

1645 or 1812 -UDP

RADIUS authenticationmessages

Bidirectional – Intranetside of ConnectionManager

Used in conjunctionwith the device resolveror with third-partyRADIUS authenticationservers

1646 or 1813 -UDP

RADIUS accountingmessages

Bidirectional – Internetside of ConnectionManager

Used in conjunctionwith the device resolveror with third-partyRADIUS authenticationservers

9557 - TCP Connection Manager No firewall implication Used between theConnection Managerand the wg_monitorutility

14356 - TCP Connection Manager Depends on location ofsubordinate nodes – Ifthe nodes are inside theDMZ, there is nofirewall implication,otherwise it is theIntranet side ofConnection Manager

Subordinate node in acluster listens to receiveincoming requests froma principal node –inactive by default

8888 - TCPand UDP

Mobile access services Bidirectional Used between MobilityClient and ConnectionManager to changeclient password.Note: This port is onlyaccessed through theVPN tunnel and doesnot need to beexternalized byfirewalls.

8889 - TCPand UDP

Mobile access services Bidirectional – Internetand Intranet side ofConnection Manager,unless specifically set tobind to an IP addresson one side or the other

IP-based receive

9551 - TCP Connection Manager Bidirectional The ConnectionManager listens fordynamic configurationrequests using the TCPprotocol.


Table 1. Ports on which the Connection Manager listens (continued)



9553 - TCP Connection Manager Bidirectional The ConnectionManager listens fordynamic configurationrequests using the TCPprotocol.

9610 - TCP Mobile access services Bidirectional Listener for third-partyRADIUS authenticationrequests from MobilityClients

13131 - TCP Messaging services Bidirectional – Intranetside of ConnectionManager

Send/receive port formessaging services APItraffic

13132 - TCP Messaging services Bidirectional – Intranetside of ConnectionManager

Secure send/receiveport for messagingservices API traffic

Supported localesThis topic describes which national language locales are supported and whichlocales are used by default.

On Windows systems, only UTF-8 locales are supported. The national languagesupport is installed automatically with the single run-time package. Command lineutilities are currently restricted to English only.

When you use the Gatekeeper to log into the Connection Manager, information isexchanged on the language to be used for the session. The Gatekeeper requests alanguage depending on the locale it is using and the Connection Managerresponds with the locale that will be used, either the locale requested or English.

The Connection Manager uses a default locale for each language. To use alanguage other than English, the operating system that the Connection Manager isrunning on must support the default locale that the Connection Manager uses forthe language and the message catalogue must be installed for that locale. TheEnglish UTF-8 locale is required for all languages and the localized UTF-8 locale isrequired for each non-English language that will be used if you want to usenational language characters in user IDs or passwords.

The default locale for each language includes:

Table 2. Supported locales

Language Character encoding forAIX

Character encoding forLinux

Character encoding forSolaris

EnglishUTF-8 EN_USISO-8859-1en_US

UTF-8 en_US.utf8ISO-8859-1en_US

UTF-8 en_US.UTF-8ISO-8859-1en_US

FrenchUTF-8 FR_FRISO-8859-15 fr_FR

UTF-8 fr_FR.utf8ISO-8859-15 fr_FR

UTF-8 fr_FR.UTF-8ISO-8859-15 fr


Table 2. Supported locales (continued)

Language Character encoding forAIX

Character encoding forLinux

Character encoding forSolaris

BrazilianPortuguese UTF-8 PT_BR

ISO-8859-1 pt_BRUTF-8 pt_BR.utf8ISO-8859-1 pt_BR

UTF-8 pt_BR.UTF-8ISO-8859-1 pt_BR

SpanishUTF-8 ES_ESISO-8859-15 es_ES

UTF-8 es_ES.utf8ISO-8859-15 es_ES

UTF-8 es_ES.UTF-8ISO-8859-15 es

JapaneseUTF-8 JA_JPEUC ja_JP

UTF-8 ja_JP.utf8UTF-8 ja_JP.UTF-8EUC ja

KoreanUTF-8 KO_KREUC ko_KR

UTF-8 ko_KR.utf8EUC ko

UTF-8 ko.UTF-8EUC ko_KR

SimplifiedChinese UTF-8 ZH_CN

GB2312 Zh_CNUTF-8 Zh_CN.utf8GB2312 zh

UTF-8 zh.UTF-8GB2312 zh_CN.gb2312

TraditionalChinese UTF-8 ZH_TW

BIG5 Zh_TWUTF-8 Zh_TW.utf8BIG5 zh_TW.BIG5

UTF-8 zh.UTF-8BIG5 zh_TW.big5

GermanUTF-8 DE_DEISO-8859-15 de_DE

UTF-8 de_DE.utf8ISO-8859-15 de_DE

UTF-8 de_DE.UTF-8ISO-8859-15 de

ItalianUTF-8 IT_ITISO-8859-15 it_IT

UTF-8 it_IT.utf8ISO-8859-15 it_IT

UTF-8 it_IT.UTF-8ISO-8859-15 it

For AIX, the message catalogues are installed as separate packages. You mustinstall support for a locale before you can install the message catalogue for thatlocale. It is best to install using smitty under "Install and Update from ALLAvailable Software" and select the message catalogues you want to install.

For Linux and Solaris, NLS support for all languages is installed automaticallywith the single run-time package.

Other locales are supported if you are running commands in a console. Theselocales include:

Table 3. Additional locales for command line usage

Language / characterencoding

Support for AIX Support for Linux Support for Solaris

English ASCII — C C

English IBM-850 En_US — —

French IBM-850 Fr_FR — —

Spanish IBM-850 Es_ES — —

Japanese SJIS Ja_JP ja_JP.ujis ja_JP.PCK

Korean IBM-949 Ko_KR — —

Traditional ChineseEUC

zh_TW — —


Table 3. Additional locales for command line usage (continued)

Language / characterencoding

Support for AIX Support for Linux Support for Solaris

Simplified ChineseEUC

zh_CN — —

Italian IBM-850 It_IT — —

Japanese EUC ja_JP.euc

Using access manager logsThe access manager and the secure access manager have files that log messagesabout the communication between the Connection Manager and the accessmanager and also between the Gatekeeper and access manager. Note that theaccess manager passwords are in-the-clear in the message log file when theoperation being performed involves a password change.

The access manager message log file is wgmgrd.log. To view this files, log in asroot to the access manager system. These files are located in /var/adm/ on AIX,Linux, or Solaris. On Windows, these files are located in the installation directoryunder logs\. To change the default location:1. Double-click the Access Manager in the left pane on the Resources tab.2. Click the Logging tab.3. Edit the Log file field for the location of the access manager log or the SSL log

file for the location of the secure access manager.

You can reset the log files to rename the old files and begin new ones. Therenamed files have the day's date appended to the log file name. In the case ofmore than one reset on a given day, a timestamp is appended to the filename. Toreset the log files:1. Right-click the Access Manager in the left pane on the Resources tab.2. Click Reset log files.3. Choose whether to reset all files or individual files.

On the Connection Manager for Windows only, if another Gatekeeper session isattached during the reset process, that session will continue logging to the backupcopy of the log file, rather than reset wgmgrd.log file. Also, the backup copycannot be deleted from the file system until all other Gatekeeper sessions haveended.

Using Connection Manager logsThe Connection Manager stores troubleshooting information in message, account,and trace logs.

Connection Manager logs are stored in files or, in the case of accounting andbilling information, a relational database or a file. All Connection Manager logsstored in files are viewed using the Gatekeeper. Each log is viewable separately. Anadministrator can only view logs if the administrator ID has an additional accessenabled by an ACL profile with at least Read-only access to the ConnectionManager.

The log files and their default file names are:


MessageStores messages for a single Connection Manager. The default file iswg.log. This file is located in /var/adm/ on AIX, Linux, or Solaris. OnWindows this file is located in C:\Program Files\IBM\ConnectionManager\Connection Manager\logs\.

AccountStores account records, such as for an MNI or SMS clients. The account logshows what activity is occurring on the Connection Manager by showingthe number of packets transferred outbound from the Connection Managerand inbound from the mobile device. When configured to use a file, thedefault file is wg.acct. This file is located in /var/adm/ on AIX, Linux, orSolaris. On Windows this file is located in C:\ProgramFiles\IBM\Connection Manager\Connection Manager\logs\.

See “Account log” on page 37 for more information.

Trace All packet data transmitted to and received from a Mobility Client can bestored in the mobile access services trace file. The default file name iswg.trace. This file is located in /var/adm/ on AIX, Linux, or Solaris. OnWindows this file is located in C:\Program Files\IBM\ConnectionManager\Connection Manager\logs\.

Note that the trace log contains a trace of all packet data for Mobility Clients thathave the trace turned on. The message log can be filtered to contain specific levelsof logging information or specific devices or user IDs.

You should maintain your message, account, and trace logs regularly. Yourbusiness needs dictate whether you keep historical records as well as how oftenyou start new records. For database records, this means archiving and purgingrecords. To purge accounting and billing records, use the -p parameter with thewg_acct command. See “Account log” on page 37 for more information. Afterpurging records, you can reclaim disk space.

For log files, you should reset (rename the old files and begin new ones) themregularly using Gatekeeper:1. Double-click the Connection Manager in the Resources tab.2. Right-click the Connection Manager in the right pane and select Reset files.3. Choose whether to reset all files or individual files.

Alternatively, you can use the Connection Manager command line to reset all logfiles. Enter chwg -r acct | trace | log | all

If message, account, or trace information is not stored in a file, as expected, theremight not be sufficient storage available in the file system.

To check the file system on AIX, enter:df

to produce this output:


Check the /var file system. If it is full, make space available to allow theConnection Manager to write to the log file.

If necessary, compress or back up the old files before deleting them. If activeprocesses have opened the files, terminate the processes to release the files. Forexample, if you are using the tail command to display the log file, terminate thetail process before you work with the file.

Message logWhen problems occur, check the message log file for error messages first.

Messages generated by the Connection Manager are stored in the message log file.The log file contains plain ASCII text.

You can control the level of detail that is logged by specifying the types ofmessages using Gatekeeper:

DebugData used for problem analysis

Error Messages about unexpected events on which you need to take action

Log General information messages

Status Dump of status information, such as packet rates, byte rates, and systemload

TCP-LiteMessages about data using the TCP-Lite transport

Trace-IPHexadecimal dump of only IP-related data packets

Trace-dataHexadecimal dump of data packets

WarningMessages about events on which you might or might not need to takeaction

To specify message types for logging:1. In the left pane, right-click the Connection Manager for which you want to

specify message logging and click Properties.2. Click the Logging tab to view the current settings for messages.3. Use the check boxes or the All or None buttons to change the message types

that are logged.4. Click OK.

You can set the maximum size of the message log file. Click the Logging tab on aConnection Manager, then enter the maximum size of the message log file in MB.When the maximum file size is reached, the file is renamed in the form wg.log.bak.

Filesystem Total KB free %used iused %iused Mounted on/dev/hd4 8192 1980 75% 749 36% //dev/hd9var 16384 5868 64% 105 2% /var/dev/hd2 253952 30252 88% 13338 21% /usr/dev/hd3 8192 6016 26% 53 2% /tmp/dev/hd1 4096 1012 75% 71 6% /home

Figure 5. Sample output of df command listing file system usage - AIX


You can specify the allowable number of backup files that are saved. Also on theLogging tab, enter the number of backup files allowed, up to a maximum of 10files. If you specify zero (0), no files are backed up. When the maximum file size isreached, the file is truncated to 0 bytes, then logging continues at the beginning ofthe message log file.

To troubleshoot a problem with a specific account, restrict message logging todisplay only an individual user ID or device: Also on the Logging tab, clickRestrict what is logged and choose between Log only one user or Log only onedevice, then specify the user or device.

Note:

1. Initial log statements, such as data logged before a login session iscomplete, will not get logged.

2. Very low level port data, such as X.25 line data or dial-TCP frames arenot logged because neither the device, typed key, or account values areknown.

3. If a device roams to a different IP address, then the new session is notlogged because the device key (IP address) no longer matches.

4. If a device is connected through an MNI that uses network addresstranslation (NAT) or an external DHCP server with NAT, then the NATaddress is the one that must be specified and not the device's IP address.

Account logCheck the account log file for records concerning individual accounts.

To set whether accounting records are recorded using Gatekeeper, click theAccounting and billing tab on a MNI or messaging services properties notebook.Select the Packet check box.

For an MNI, you can control the level of account records logged by selecting alllog levels or none, or one or more log levels.

If you want to store accounting records in a file or database, you must:1. In Gatekeeper, right-click the Connection Manager and select Properties. On

the Accounting and billing tab, make sure that the Write Accounting andbilling records check box is selected. Then select the appropriate radio buttonto save accounting records to either the local file system or to a database.

2. In Gatekeeper, right-click the MNI and select Properties. Use the Accountingand billing tab to select the desired level of account logging from the followinglist. If you select None, then account logging is disabled.

Login Events that occur when Mobility Clients establish a connection tomobile access services.

LogoutEvents that occur when Mobility Clients disconnect from mobile accessservices.

ConnectEvents that occur when a Mobility Client negotiates a dial-upconnection with a modem on the mobile access services. On a initialdial-up session with the mobile access services, the Mobility Client'sphysical connection is established, then login is established.


DisconnectEvents that occur when a dial-up connection is disconnected from amodem on the mobile access services.

Packet Data that records and accounts for each packet. By default, this loglevel is turned off.

SessionData that records the duration of a session from login to logout.

Hold Data that records when Mobility Clients are in short-hold mode andphysical connections are dropped, but login connections aremaintained.

You can stop account logging on an individual MNI or for an entire ConnectionManager. To stop account logging for an MNI, click the Accounting and billingtab on an MNI, then click None. To stop account logging for a ConnectionManager, click the Accounting and billing tab on a Connection Manager, thenclick Write accounting and billing records to the following.

After you clear the Write accounting and billing records to the following checkbox, you can still modify the relational database configuration or modify the pathof the file.

Using the wg_acct commandDisplay the account records using the wg_acct command.

In addition to using the Gatekeeper to view logs, you can use the commandwg_acct to access and display the account records in a number of different formatsand filtered according to criteria based on the flags passed to the command line.Note that most commands require the command wg_acct -T pkt to see theMobility Client traffic.

When filtering packets, make sure that Packet is selected in the Accounting modefield of the Accounting and billing tab of the mobile network interface (MNI).

PurposeAccess and display the account records in a number of different formats andfiltered according to criteria based on the flags passed.

When filtering packets, make sure that Packet is selected in the Accounting modefield of the Accounting and billing tab of the mobile network interface (MNI) inGatekeeper.

Note that this utility displays columns headers only in English. When using thewg_acct utility and a locale other than English on AIX and Solaris platforms,switch to a UTF-8 locale on the command line. If you do not use a UTF-8 locale,then the output does not display correctly when using the command line todisplay the account records. The wg_acct utility does not support non-English userIDs on Linux distributions.

Syntaxwg_acct

-c MNCType

-C

-d

-e End


-f

-F OutFileName

FileName

-h

-I

-l Count

-m MobileClient

-M MobileMask

-n

-o OtherDevice

-O OtherMask

-p Days

-P Platform

-s Start

-S

-t

-T failedlogin|login|logout|connect|disc|session|hold|natmaps|roam|pkt|smspkt-u Userid

DescriptionUse the wg_acct command to access and display the account records in a numberof different formats and filtered according to criteria based on the flags passed.

When you run wg_acct, it generates column headers on the first line, followed aline-by-line detailed output of every packet in the record. The column headers are:

DirectionFrom the database perspective, X'00' indicates packets are inbound fromthe mobile device (mobile origination) and X'01' indicates packets areoutbound to the mobile device (Connection Manager origination). From thecommand line perspective, a left arrow indicates that packets are inboundand a right arrow indicates that packets are outbound.

#Pkts The total number of packets for the particular direction

IP The size of unaltered, original IP packet

Red Packet size after IP header reduction, if any.

Comp Packet size after compression, if any.

Cryp Packet size after encryption, if any.

Fram Packet size after any necessary protocol framing

Sent Size of transmitted packet after appropriate reduction, compression,encryption, or framing

Note that most commands require the flag wg_acct -T pkt to see the MobilityClient traffic.

Enter wg_acct -? to list the usage statement.


Flags-c MNCType

Filters packets for packets on a given MNC. Valid values for MNCTypeinclude MNC type identifiers, such as ip-lan, sms, ardis-tcp ordataradio-msc. For example: wg_acct -c sms

-C Generates a compressed format by reducing the number of columns, suchas the timestamp and user ID columns.

-d Generates a summary based on the IP addresses of all connected MobilityClients or mobile devices.

-e End End time for packet filter as specified by timestamps, the format of whichis yymmdd[.hhmmss].

-f Does not stop at end-of-file or end of database records, but continuesrunning and displaying new entries as they occur (similar to tail -f).

-F OutFileNameDirect output to OutFileName. An output file created with the -F flagcannot be used as input for the FileName flag.

FileNameRead input from FileName, other than default. This parameter is onlyavailable when storing accounting and billing records in a file and isignored when using a relational database. This file is located in/var/adm/ on AIX, Linux, or Solaris. On Windows this file is located inC:\Program Files\IBM\Connection Manager\logs.

-h Does not generate the column header line or the packet total summarylines. When you run wg_acct, it generates column headers on the first lineand packet total summary lines at the end of the output. Use this flag tosuppress the column headers and packet total summary lines.

-I Displays connection information obtained at login for the WLP version,Mobility Client version, platform type, and platform description. The stringN/A is inserted when the client does not provide the information. This flagmust be used in conjunction with flag -T login.

-l CountSkips the first Count-1 records and begins processing input at packet recordnumber Count, where Count is an integer.

-m MobileClientFilters packets for a given IP address, where MobileClient equals adotted-decimal IP address (Note: This is the VPN address assigned by theConnection Manager for the session) or host name (Note: This assumesthat the hostname can be resolved into an IP address via DNS or localhosts file).

-M MobileMaskFilters packets from all addresses that are within a subnet (MobileMask).This flag is only used with -m flag and lets you apply a subnet mask tothe IP address as specified in the -m flag.

-n Reverse the current packet filter to display only packets that would havebeen ignored. This flag works in conjunction with other flags excluding the-T flag. Using the -n flag by itself or only with the -T flag has an undefinedresult.

-o OtherDeviceFilters packets for the IP address on the other end of the packet, where


OtherDevice equals a dotted-decimal IP address or host name. For example,if you want to see all packets going to or coming from 38.38.130.9, youcould specify -o 38.38.130.9.

-O OtherMaskFilters packets from all addresses that are within a subnet. This option isonly used with the -o flag and lets you apply a subnet mask (OtherMask) tothe IP address as specified in the -o flag.

-p DaysPurge database records that are older than the specified days parameter.For example, specify wg_acct -p 90 to delete all records older than 90 daysor specify wg_acct -p 0 to delete all records in all tables. Combine the pparameter with the T parameter to specify the packet type to delete. Forexample, specify wg_acct -p 30 -T pkt to delete all records older than 30days in the WLP data packet table or specify wg_acct -p 0 -T session todelete all session records.

-P PlatformFilter packets to display only login records from a given platform type.Combine the P parameter with the T parameter to specify the packet typeto display.

1 - Reserved2 - Reserved3 - MAC4 - Reserved5 - Reserved6 - Windows 32-bit7 - Windows CE8 - Reserved9 - Reserved10 - Reserved11 - Reserved12 - Reserved13 - Reserved14 - Reserved15 - Linux

-s StartStart time for packet filter as specified by timestamps, the format of whichis yymmdd[.hhmmss].

-S Does not check the version. The Connection Manager inserts a versionrecord into the log at start-up to indicate the format. If wg_acct checks thisformat and does not understand it, the command does not execute. Usethis flag to skip the version check and execute the command.

-t Generates only a summary. Instead of generating a line-by-line detailedoutput of every packet in the file, this flag generates a summary of thenumber of bytes transmitted/received, compression, header reduction,encryption etc.

-T [failedlogin | login | logout | connect | disc | session | hold | natmaps |pkt | smspkt | roam]

Filters packets based on type (default = pkt). If you use more than one -Tflag, only the last one is used.


-T failedloginFilters only packets resulting from a Mobility Client's failed loginattempts. For each failed login attempt the following information isdisplayed: Date/Time, User, IP Address, MNC, Device and Event

-T loginFilters only packets resulting when a Mobility Client establishes aconnection to mobile access services. For each login attempt thefollowing information is displayed: Date/Time, User, IP Address,MNC, Device and Event

-T logoutFilters only packets resulting when a Mobility Client disconnectsfrom mobile access services. For each logout the followinginformation is displayed: Date/Time, User, IP Address, MNC,Device, Event Duration, PktIn, PktOut, BytIn, BytOut, DscPkt,RxmtPkt, DscByte and RxmtByt (Dsc = discard, Rxmt = retransmit)

-T connectFilters packets containing data resulting from the Mobility Client'sconnection to mobile access services. Displays records generatedwhen a dial-up or http MNC based session is moved out of ashort-hold state and resumed. The following information isdisplayed: Date/Time, User, IP Address, MNC, Device and Event

-T discFilters only packets that result from the disconnection of a dial-upconnection from a modem on the mobile access services. Displaysrecords generated when a dialup or http MNC session is movedinto a short hold state. The following information is displayed:Date/Time, User, IP Address, MNC, Device, Event Duration, PktIn,PktOut, BytIn and BytOut

-T sessionFilters packets that record the duration of a session from login tologout. Displays records generated by all session related events(login/logout/roam/keyrotation). The following information isdisplayed: Date/Time, User, IP Address, MNC, Device, EventDuration, PktIn, PktOut, BytIn, BytOut, DscPkt, RxmtPkt, DscByteand RxmtByt (Dsc = discard, Rxmt = retransmit)

-T holdFilters only packets generated when physical connections forMobility Clients in short-hold mode are dropped while their loginconnections are maintained. Displays records generated by HOLDstate due to drop in line driver to mobile network. This is valid formobitex/datatac only.

-T natmapsDisplays records showing the physical and virtual endpoints ofapplication level traffic running across the Connection Manager'snetwork address translator resources. Applies only in the casewhere network address translator resources have been defined. Thefollowing information is displayed: Mobile Address, Mobile Port,NAT Address, NAT Port, DstAddress, DSTPort User andDate/Time

-T pkt Filters only IP packet traffic. Each IP packet generates anaccounting record containing information about what was done tothe packet, sizes, etc. Displays records showing where the packet


was going, what effects encryption and compression had on thesize and what size was actually sent over the air. The followinginformation is displayed: Date/Time, MNC, Device, IP, Red, Comp,Cryp, Fram, Sent, Other Device and Mobile Client

-T smspktFilters only SMS message packet traffic. Displays records similar topkt except it lists PPG related message accounting information. Thefollowing information is displayed: Date/Time, Bearer, MType,Data, Client and Destination

-T roamFilters only packets generated by Mobility Client roaming events.When the Mobility Client sends a request to the ConnectionManager to roam from one interface to another, the ConnectionManager determines if the request is valid, and if so, it generates aroam record. Displays records generated when a session is roamedto a new device. The following information is displayed:Date/Time, User, IP Address, MNC, Device, Event, Duration,PktIn, PktOut, BytIn and BytOut

-u UserIDFilters packets for the given user ID. By default, an exact distinguishedname comparison is performed, unless wildcard characters ('*') are used. Ifwildcards are used, be sure to enclose the user ID in double quotes ("").For example, -u "*any*" will filter on all user IDs containing the string"any".

Note: UserID is the users full distinguished name, for example:

wg_acct -u uid=sunny,o=ibm,c=us

Examples1. To delete all records older than 90 days:

wg_acct -p 90

2. To delete all records in all tables:wg_acct -p 0

3. To delete all records older than 30 days in the WLP data packet table:wg_acct -p 30 -T pkt

4. To delete all session records.wg_acct -p 0 -T session

5. To filter packets for a given type, such as logout packets:wg_acct -T logout

6. To filter packets for a user ID:wg_acct -u uid=sunny,o=ibm,c=us

where uid=sunny,o=ibm,c=us is the full distinguished name of the user7. To filter packets for an IP address or host name:

wg_acct -m lachrymose

where lachrymose is the host name of the Mobility Client8. To filter packets for a subnet:

wg_acct -M 255.255.255.0

where 255.255.255.0 is the subnet mask.9. To filter packets for an MNC type:


wg_acct -c sms

where sms is the MNC type identifier10. To filter packets beginning at a particular minute on a given date:

wg_acct -s 021218.131300

where the start time is 1:13 PM on December 18, 2002

Trace logYou can log individual users' IP/PPP level of trace information.

By default, tracing is turned off. To start tracing, use the Gatekeeper to display theproperties of the user you want to trace, then click Start trace on the Account tab.To stop tracing, clear the Start trace check box.

To view trace logs, you must be logged in as root.

Important: Set tracing off during normal operation. Because all traffic is recordedwithout encryption, tracing should not be turned on without the knowledge of theperson using the user ID which is being traced.

Testing for UDP packet lossUse the wcecho utility to test for UDP packet loss between the Mobility Client andthe Connection Manager.

For Mobility Clients using the Linux or desktop Windows systems, the wcechoutility is a user datagram protocol (UDP)-based ping program that lets you test forUDP packet loss. The Connection Manager system must have the UDP echo serviceenabled. The wcecho utility is only available in English.

Note: For Windows systems, you must download the Utilities for Subsystem forUNIX-based Applications package before you can install the echo server.

Enable the UDP echo service on the Connection Manager, then run the wcechoutility:1. Stop the Connection Manager.2. Change the echo service to allow traffic to flow on the same port as the

Mobility Client. Modify the /etc/services file and set the line: echo 7/udp toecho 8889/udp.

Note: Use the port number you have configured for mobile access services. Bydefault, that port is 8889.

3. Modify the Internet daemon being used: xinet or inet.

AIX Modify the file /etc/inetd.conf and remove the comment mark (#) onthe line that begins with #echo dgram udp. Then, refresh the daemon byrunning: refresh -s inetd .

Linux Using xinetd, modify /etc/xinetd.d/echo-udp to enable it and sendSIGUSR1 or SIGUSR2 to the xinetd process. Using inetd, modify the file/etc/inetd.conf and remove the comment mark (#) on the line thatbegins with #echo dgram udp. Then, send SIGUSR1 to the inetd process.




SolarisModify the file /etc/inetd.conf and remove the comment mark (#) onthe line that begins with #echo dgram udp. Then, send SIGUSR1 to theinetd process.

WindowsMake sure that you have the Windows operating system componentSimple TCP/IP Services running. To install Simple TCP/IP Services:a. From Add/Remove Programs, click Add/Remove Windows

Components.b. Click Networking Services, then click Details.c. Select Simple TCP/IP Services, click OK, then click Next.d. Select the operating system installation CD location, click Next, then

click Finish.4. On the Mobility Client from the installation directory, run the wcecho

command using the syntax that you want.

Syntax for wcecho utility

wcecho host

-c count

-i wait

-p port

-s size

Flags for wcecho

-c countDetermines the number of packets to send

host Determines the dotted-decimal IP address or host name of the ConnectionManager.

-i waitDetermines the amount of time in milliseconds to wait between sendingpackets.

-p port Determines the port number on which to send the packets.

-s size Determines the size of the packet to send.

Troubleshooting tipsThese are common hints that can help you troubleshoot problems with theConnection Manager.v In some cases, loss of network connectivity between the Connection Manager

and the DB2 server requires that the Connection Manager be stopped , thenrestarted. For example, when the database management system (DBMS) does notautomatically reestablish a connection to the database when connectivity isrestored, restart the Connection Manager.

v If you need to reconfigure your directory service server (DSS) database usingLDAP, shut down the Connection Manager, reconfigure the directory servicedatabase, then enter mkwg -Z. Log in using the Gatekeeper and reconfigureyour resources. The mkwg -Z command forces the Connection Manager to checkthe DB2 configuration and LDAP schema and update them if required. It alsoupdates the list of installed components.


v Pings from a Mobility Client can be misleading: they can time-out and return anegative response because, by the time the packets eventually return, the ping isno longer listening. To make sure there is enough time to traverse the network,enter ping -w <milliseconds>, where milliseconds is the number of milliseconds.

v A power-saving modem can cause the mobile access services to stop deliveringpackets if the modem sleeps. If the network provider server tries to contact theMobility Client and the modem is at the beginning of a two-minute sleepinterval, the server waits until its timeout period elapses (typically less than twominutes), then concludes that the Mobility Client could not be reached.

v Signal strength is not always a reliable predictor of coverage. On Windowssystems, the Mobility Client tool bar provides a relative strength indicator andan in-or-out-of-range detector; however, these two readings do not alwayscorrelate.

v When using DB2 Version 8.1, increasing numbers of defunct DB2 processes canaccumulate for both the Connection Manager DB2 instance and the LDAP DB2instance. The Connection Manager is not responsible for these defunct processeswhich are owned by the DB2 db2fmcd (Fault Manager) process. Restarting theConnection Manager does not clear up the defunct processes. Stopping andrestarting the DB2 Fault Manager can clear up the current defunct processes butnew ones will begin to accumulate after the DB2 Fault Manager restarts. Thisproblem has been addressed in DB2 8.1 Fixpak 4.

v To view the packet flow through the Connection Manager, use the wg_monitorutility.wg_monitor [-s <refresh rate>]

[-g <gateway>][-p <port>]

See the Administrator's Guide for more information about using this command.v See www.ibm.com/support/entry/portal/Overview/Software/Lotus/

Lotus_Mobile_Connect for the latest information and Technotes for theConnection Manager.

Finding broadcast errors when using mobile access servicesBroadcast errors are typically missed message transmissions or extra messagetransmissions.

Causes for apparently missed messages can include:v Mobility Client is out-of-range, or the modem or mobile device is turned off.

Broadcast data is sent only once and not automatically sent again after a failureto acknowledge

v The mobile device is assigned to the address for another radio networkv The manually created “all users” group is not up-to-date (Dataradio only)v Loss or corruption of configurable address on mobile devicev Message originator specified incorrect value for Category of Message. The

Category of Message determines whether the message is written to the user'sscreen or to one of the ports that a user application is monitoring.

v The message originator was not authorizedv Mismatch between the group addresses in the mobile access services and those

in the network provider's list

Causes for extra messages are:




v Message originator specified multiple groups, and the network had a mobileuser who was a member of each group

v Message originator who specified both group AllRnc300 (which has Dataradioadditions) and a Dataradio group name

v A radio data network (RDN) had multiple connections to the same mobile accessservices

Check the error log to see if a message could be sent to anyone. Broadcasts thatcan transmit to at least one group are considered successful. Only failed attemptsat sending a message to any group are logged as errors (for example, incorrectgroup name, nonexistent RDN, nonexistent Category of Message, unauthorizedmessage originator).

Determining the status of an X.25 link on AIXYou can query the status of the X.25 link used by the Connection Manager.

When troubleshooting a problem, you can query the status of the X.25 link used bythe Connection Manager, such as an X.25 adapter or an X.25 connection.

lsdev Query the status of an X.25 adapter

x25mon Monitor X.25 data flow.

x25statusDetermine the status of an X.25 link.

Monitoring X.25 data flowUse the x25mon command to determine what information is flowing between anX.25 adapter and the network line.

Use this command:x25mon -f -n sx25a0

to generate this output:

The output shows the data packets transmitted at the X.25 HDLC level. Theidentifier FR (frame received) in the third column identifies a received data packet.A hex dump of this packet starts in column 10. The identifier FS (frame sent) incolumn 3 identifies a packet sent.

x25mon: started at Sat May 23 10:27:15 1998Command issued : x25mon -f -n sx25a010:27:16 sx25a0 FR 0 INFO 3 0 1 6 1008A04D4900000000EEEEFFFF000015C03033746531B04B0 4065FB4500B527282FB19481E359840A9F64D894E5AD4F445CE00217214DE88C1972889B8A 5C060A922C0F0 AAD1DBDCFC8C527E10:27:16 sx25a0 FS 0 RR 3 0 710:27:16 sx25a0 FS 0 INFO 1 0 7 1 10082110:27:16 sx25a0 FR 0 INFO 3 0 2 7 1007EA4D4900000000EEEEFFFF000015C03033746531B02FC 806AE8D0843DCE0701A74FEB9CC6D4ACDD1517CCDE1A65095580EDC711D9525EC31B8CBDBDC1162C4973D7E10:27:16 sx25a0 FS 0 RR 3 0 010:27:16 sx25a0 FS 0 INFO 1 0 0 2 1007C110:27:16 sx25a0 FS 0 INFO 1 0 0 3 10082A485215010100EEEEFFFF000000313315C0303374653 110C9CF006BF41EA78883F6E9BF4B58A5FF71FF5FAF13832DC7C91DFEFD7307243D3CC4227E10:27:16 sx25a0 FR 0 INFO 3 0 4 0 1008C110:27:16 sx25a0 FS 0 RR 3 0 1

Figure 6. Sample output of x25mon command showing send and receive data flow


Sending network management trapsYou can configure the Connection Manager to send traps to a Tivoli® NetView®

network management station.

You can configure the Connection Manager to send traps when different eventsoccur, such as the starting or stopping of the Connection Manager. These traps arelogged by your simple network management protocol (SNMP) managementstation.

To enable the sending of traps to the Tivoli NetView management station, youmust give the host name of the network management station when you create theConnection Manager. You must also prepare the Tivoli NetView program to receivetraps from the Connection Manager.

Trap variablesThe Connection Manager supports version 1 SNMP traps.

The Connection Manager object identifier (OID) is 1.3.6.1.4.1.2.6.102.*, where * isthe Code documented in Table 4 on page 49. The Connection Manager does notsupport a management information base (MIB) query.

All of the traps generated by the Connection Manager consist of five parameters orvariables of type string.

Variable 1Describes the event causing the trap.

Variable 2A specific address of the referenced device. This address can be an IPaddress, a combination of several addressing parameters, or can be blank ifaddressing does not apply.

When this variable is an IP address, it relates directly to the ActvKey fieldin the ActiveSessionAttribute table. Note that the IP address (ActvKey) isthe private (Connection Manager-assigned) IP address.

Variables 3 and 4Trap-dependent additional information or blank.

When variable 3 is a device name, it relates directly to the DevKey field inthe ActiveSessionAttribute table. Note that the device name (DevKey) isthe public (carrier's) IP address. When variable 4 is a network interface, itrelates directly to the MNC field in the ActiveSessionAttribute table.

Variable 5Timestamp in plain ASCII, because the standard timestamp of the SNMPpacket is coded.

When this variable is a timestamp, it relates directly to theLoginTimeStamp field in the ActiveSessionAttribute table.

Trap severityA severity code is added below each trap. The severity code is not included in thetrap; it is added when the NetView trap daemon is configured. The followingdescribes each severity code:

CLEAREDEstablishment of a normal status


INDETERMINATEInformational messages

WARNINGPossible system errors

MINORLow-priority error; for example, failure in an end system

CRITICALMedium-priority error; for example, failure of a component between acentral system and an end system

MAJORHigh-priority error; for example, failure of a central key component

Trap descriptionsThe tables in this section describe each trap.

Note:

1. The origin of the trap is denoted by the first two letters of the firstvariable. Traps sent by the Connection Manager use AG.

2. The 120390 and 120391 traps are for completeness and not necessarilyused in the current implementations of trap-generating components.

Table 4. Formats and descriptions of Connection Manager traps

Code / Severity Variables Description

120265 CLEARED 1. "AG: startup"

2. Host name of gateway server

3. (blank)

4. (blank)

5. Timestamp

Connection Manager software isstarting.

120266 MAJOR 1. "AG: shutdown"


3. (blank)

4. (blank)

5. Timestamp

Connection Manager software isterminating.

120267 CLEARED 1. "AG: connection open"

2. IP address/netspec. info

3. Device name

4. Network/interface[/fleet]

5. Timestamp

Transition CLOSED->OPEN Themobile device now has the option toestablish a connection.

120268INDETERMINATE

1. "AG: connection established"


3. Device name


5. Timestamp

Transition OPEN/(SHORT)HOLD->CONNECTED The mobile device isnow logged on.


Table 4. Formats and descriptions of Connection Manager traps (continued)


120269INDETERMINATE

1. "AG: connection terminated"


3. Device name


5. Timestamp

Transition CONNECTED/(SHORT)HOLD->OPEN The mobiledevice is now logged off.

120270 MINOR 1. "AG: connection dropped"


3. Device name


5. Timestamp

Transition OPEN / CONNECTED /(SHORT)HOLD-> CLOSED

120271 WARNING 1. "AG: connection on hold"


3. Device name


5. Timestamp

Transition CONNECTED->HOLD

120272 WARNING 1. "AG: connection on short hold"


3. Device name


5. Timestamp

Transition CONNECTED->SHORT_HOLD.

120273INDETERMINATE

1. "AG: connection deleted"


3. Device name


5. Timestamp

A connection was removed from theConnection Manager.

120274INDETERMINATE

1. "AG: connection created"


3. Device name


5. Timestamp

A new connection was added to theConnection Manager.

120275 MINOR 1. "AG: authentication failed"


3. Device name


5. Timestamp

An authentication error was madeduring the logon procedure.

120276 MINOR 1. "AG: protocol error"


3. Device name


5. Timestamp

An error occurred in the PPPprotocol.


Table 4. Formats and descriptions of Connection Manager traps (continued)


120277 MINOR 1. "AG: invalid data management"


3. Device name

4. Network/interface

5. Timestamp

A client login session has refused adata management option set by theConnection Manager.

120288 WARNING 1. "AG: mnc failed to connect"

2. MNC name

3. Target carrier address

4. (blank)

5. Timestamp

An MNC could not make aconnection to the network carrier ormessage center.

120289INDETERMINATE

1. "AG: connection established"


3. Device name


5. Timestamp

The mobile session has roamed to anew device.

120320 MAJOR 1. "AG: connect failed"


3. (blank)

4. (blank)

5. Timestamp

The messaging servicesfailed toconnect to backend application server.

120321 WARNING 1. "AG: device authentication failure"


3. (blank)

4. (blank)

5. Timestamp

The messaging client device failedauthentication with the messagingservices.

120322 CRITICAL 1. "AG: Messaging services - deadlock detected,restarting gateway"

2. "Deadlock detected by messaging gateway. Savingqueued messages and restarting ConnectionManager."

3. (blank)

4. (blank)

5. Timestamp

When messaging services detect thatthe Connection Manager has becomedeadlocked, it saves queued messagesto the database, generates a core filefor debugging, restarts theConnection Manager, and resumessending the queued messages.

120390 MINOR 1. "AG: error"


3. Errortext 1

4. Errortext 2

5. Timestamp

Other errors

120391 WARNING 1. "AG: warning"


3. Warningtext 1

4. Warningtext 2

5. Timestamp

Other warnings


Chapter 2. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504–1785USA

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

53

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:v IBM Corporationv P.O. Box 12195v 3039 Cornwallis Roadv Research Triangle Park, NC 27709-2195v USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE: This information contains sample application programs insource language, which illustrates programming techniques on various operatingplatforms. You may copy, modify, and distribute these sample programs in anyform without payment to IBM, for the purposes of developing, using, marketing ordistributing application programs conforming to the application programminginterface for the operating platform for which the sample programs are written.These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. You may copy, modify, and distribute these sample programs in anyform without payment to IBM for the purposes of developing, using, marketing, ordistributing application programs conforming to IBM's application programminginterfaces.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

The software included herein contains PPP Magic Number routines licensed byCarnegie Mellon University.


The software included herein contains derivatives of the RSA Data Security, Inc.MD5 Message-Digest Algorithm. This technology is licensed from RSA DataSecurity, Inc.

SNMP++ Toolkit aided in the development of the Connection Manager's NetworkManagement Support. SNMP++ Toolkit is copyright© 1999 Hewlett-PackardCompany.

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corporation in the United States, other countries,or both. If these and other IBM trademarked terms are marked on their firstoccurrence in this information with a trademark symbol (® or ™), these symbolsindicate U.S. registered or common law trademarks owned by IBM at the time thisinformation was published. Such trademarks may also be registered or commonlaw trademarks in other countries. A current list of IBM trademarks is available onthe Web at Copyright and trademark information (www.ibm.com/legal/copytrade.shtml).

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are eitherregistered trademarks or trademarks of Adobe Systems Incorporated in the UnitedStates, other countries, or both.

Linux is a registered trademark of Linus Torvalds in the United States, othercountries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the UnitedStates, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, or service names might be trademarks or service marksof others.

Chapter 2. Notices 55

http://www.ibm.com/legal/copytrade.shtml

Index

Aaccess manager

logging files 34port used 30

account log fileusing 37using wg_acct command to display

records 38alerts, network management 48application troubleshooting checklist 26

Bbefore you call IBM Support 1broadcast errors 46

Cchange password port 30character encoding 32checklist

application 26Connection Manager 18data storage 23Gatekeeper 26Mobility Client 14

checklists 7code

determining Connection Manager 6determining Gatekeeper 7determining Mobility Clients 7determining version installed 6

commandsifconfig 28ipconfig 28netstat 28ps axw 29startsrc 30wg_acct 38x25status 47

Connection Managerdetermining service level of 6logging 34ports used 30troubleshooting checklist 18verifying processes 29

connection, status of X.25 link 47

Ddata storage troubleshooting

checklist 23DB2 troubleshooting 23default port numbers 30delete

accounting records 43determining code version 6determining the status of resources 28

directory servicetroubleshooting checklist 23

displaying account records 38downloads 6

Eenabling the portmap daemon 30encoding, character 32error

broadcast 46message log file 34recovery 1

Ffiles, using logs 34filtering account records 38finding broadcast errors 46

GGatekeeper

determining service level of 7troubleshooting checklist 26

generate accounting record summary 40globalization 32

Hhints and tips 45

IIBM Support Assistant

installing 3ifconfig 28IP-LAN send/receive port 30ipconfig 28

Kkeepalive 26

Llegal notices 53lightweight directory access protocol

(LDAP)troubleshooting checklist 23

locales, supported 32locating the problem 3log in and password problems 7logging files

types of 34using access manager 34using Connection Manager 34

Mmessage log file 36MIB (management information base)

query 48MNC

filter packets for 40Mobility Client

determining service level of 7filtering packets for 40log in and password problems 7login problems 10troubleshooting checklist 14

monitoring X.25 data flow 47

Nnational language support 32netstat 28network management, sending traps 48network providers, troubleshooting 1notices 53numbers, default port 30

Oobtaining service updates 6OID (object identifier) 48

Ppacket

filtering account records 40password

port, change 30problems with 7

persistent data storagetroubleshooting 23

portmap daemon 30ports numbers used 30problem determination 1processes, verifying Connection

Manager 29purge accounting records 41

Rrecords, displaying account 38reset logs 35resources, determining the status of 28roaming trap 51

Sservice level

Connection Manager 6determining version of code 6Gatekeeper 7Mobility Clients 7

57

service updates 6services file, updating for port number

changes 30severity code 48simple network management protocol

(SNMP) traps 48supported locales 32

Ttrace

log file, using 34starting 44

trademarks 55traps

description of 49network management 48severity 48variables 48

troubleshooting 10troubleshooting checklist

application 26Connection Manager 18data storage 23Gatekeeper 26Mobility Client 14

troubleshooting checklists 7troubleshooting problems 1troubleshooting tips 45

Uupdates, service 6

Vverifying Connection Manager

processes 29version

Connection Manager 6determining code installed 6Gatekeeper 7Mobility Clients 7

Wwg_acct 38wg_acct command 38wgated process 29wgattachd process 29

XX.25 link

monitoring data flow 47verifying installation 47


��

Printed in USA