Difference between revisions of "Troubleshooting VPN"
From Tech-Wiki
| (5 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
'''[[Check Point#Gaia|Back to Gaia]]''' | '''[[Check Point#Gaia|Back to Gaia]]''' | ||
| − | + | Review encryption domain, make sure only one IP matches remote peer and also refer to following SK: | |
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI4326 | https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI4326 | ||
| Line 18: | Line 18: | ||
vpn tu | vpn tu | ||
Delete all IPsec+IKE SAs for a given peer (GW) | Delete all IPsec+IKE SAs for a given peer (GW) | ||
| − | |||
vpn debug ikeoff | vpn debug ikeoff | ||
| + | vpn debug off | ||
vpn debug truncoff | vpn debug truncoff | ||
| − | + | collect files: | |
$FWDIR/log/vpnd.elg | $FWDIR/log/vpnd.elg | ||
$FWDIR/log/ike.elg | $FWDIR/log/ike.elg | ||
| + | |||
| + | Additional debug level might be required using vpn debug mon / moff which will generate the files: $FWDIR/log/ikemonitor.snoop with IKE payload in plain text. | ||
| + | |||
| + | If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap | ||
| + | |||
| + | Or check the egress interface, as the firewall will always use the MainIP as source. This can be adjusted under Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface. | ||
| + | |||
| + | In order to validate VPN routing, use the command below: | ||
| + | fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' \ | ||
| + | | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1 | ||
Latest revision as of 17:00, 7 April 2019
Review encryption domain, make sure only one IP matches remote peer and also refer to following SK:
In summary:
vpn debug trunc vpn debug ikeon vpn debug on TDERROR_ALL_ALL=5 vpn tu Delete all IPsec+IKE SAs for a given peer (GW) vpn debug ikeoff vpn debug off vpn debug truncoff
collect files:
$FWDIR/log/vpnd.elg $FWDIR/log/ike.elg
Additional debug level might be required using vpn debug mon / moff which will generate the files: $FWDIR/log/ikemonitor.snoop with IKE payload in plain text.
If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap
Or check the egress interface, as the firewall will always use the MainIP as source. This can be adjusted under Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface.
In order to validate VPN routing, use the command below:
fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' \
| xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1