Difference between revisions of "Troubleshooting Tips"
From Tech-Wiki
| (11 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order: | If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order: | ||
| − | + | # Policy | |
| − | ## Routing | + | # NAT (correct NAT mode? Does it require manual proxy arp?) |
| − | + | # Routing | |
| − | + | # Anti-spoofing (even from return packet, check logs in opposite direction) | |
| − | + | # VPN Encryption domain (for your and remote peer) | |
| − | ## | + | # IPS (Use command: ips off) |
| − | ## | + | # Connection Limit (fw ctl pstat) |
| − | + | # Disable SecureXL (Use command: fwaccel off) | |
| − | + | # Test in the other cluster member (Use command: clusterXL_admin down –p) | |
| − | + | # Issue a cpstop/cpstart or reboot | |
| + | # Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389) | ||
| + | # Did I forget something?! | ||
| + | # That’s probably a bug, raise a TAC | ||
| + | |||
| + | Confirm the reason of your packet being dropped using: | ||
| + | fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y' | ||
| + | |||
| + | If log is stuck with existing old sessions (no new logs, or still showing traffic from previous policies), clear connection's table: | ||
| + | fw tab -t connections -x | ||
Latest revision as of 14:56, 22 March 2019
If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order:
- Policy
- NAT (correct NAT mode? Does it require manual proxy arp?)
- Routing
- Anti-spoofing (even from return packet, check logs in opposite direction)
- VPN Encryption domain (for your and remote peer)
- IPS (Use command: ips off)
- Connection Limit (fw ctl pstat)
- Disable SecureXL (Use command: fwaccel off)
- Test in the other cluster member (Use command: clusterXL_admin down –p)
- Issue a cpstop/cpstart or reboot
- Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389)
- Did I forget something?!
- That’s probably a bug, raise a TAC
Confirm the reason of your packet being dropped using:
fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y'
If log is stuck with existing old sessions (no new logs, or still showing traffic from previous policies), clear connection's table:
fw tab -t connections -x