Difference between revisions of "Troubleshooting Tips"
From Tech-Wiki
| (6 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order: | If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order: | ||
# Policy | # Policy | ||
| + | # NAT (correct NAT mode? Does it require manual proxy arp?) | ||
# Routing | # Routing | ||
| − | # Anti-spoofing | + | # Anti-spoofing (even from return packet, check logs in opposite direction) |
| − | # VPN Encryption domain | + | # VPN Encryption domain (for your and remote peer) |
| − | # IPS | + | # IPS (Use command: ips off) |
| − | # Connection Limit | + | # Connection Limit (fw ctl pstat) |
| − | # Disable fwaccel | + | # Disable SecureXL (Use command: fwaccel off) |
| − | # Test in the other cluster member | + | # Test in the other cluster member (Use command: clusterXL_admin down –p) |
# Issue a cpstop/cpstart or reboot | # Issue a cpstop/cpstart or reboot | ||
# Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389) | # Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389) | ||
| Line 16: | Line 17: | ||
# That’s probably a bug, raise a TAC | # That’s probably a bug, raise a TAC | ||
| − | Confirm | + | Confirm the reason of your packet being dropped using: |
fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y' | fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y' | ||
| + | |||
| + | If log is stuck with existing old sessions (no new logs, or still showing traffic from previous policies), clear connection's table: | ||
| + | fw tab -t connections -x | ||
Latest revision as of 14:56, 22 March 2019
If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order:
- Policy
- NAT (correct NAT mode? Does it require manual proxy arp?)
- Routing
- Anti-spoofing (even from return packet, check logs in opposite direction)
- VPN Encryption domain (for your and remote peer)
- IPS (Use command: ips off)
- Connection Limit (fw ctl pstat)
- Disable SecureXL (Use command: fwaccel off)
- Test in the other cluster member (Use command: clusterXL_admin down –p)
- Issue a cpstop/cpstart or reboot
- Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389)
- Did I forget something?!
- That’s probably a bug, raise a TAC
Confirm the reason of your packet being dropped using:
fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y'
If log is stuck with existing old sessions (no new logs, or still showing traffic from previous policies), clear connection's table:
fw tab -t connections -x