Difference between revisions of "Troubleshooting Tips"

From Tech-Wiki
Jump to: navigation, search
 
(7 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order:
 
If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order:
 
# Policy
 
# Policy
 +
# NAT (correct NAT mode? Does it require manual proxy arp?)
 
# Routing
 
# Routing
# Anti-spoofing
+
# Anti-spoofing (even from return packet, check logs in opposite direction)
# VPN Encryption domain
+
# VPN Encryption domain (for your and remote peer)
# IPS
+
# IPS (Use command: ips off)
# Connection Limit
+
# Connection Limit (fw ctl pstat)
# Disable fwaccel
+
# Disable SecureXL (Use command: fwaccel off)
# Test in the other cluster member
+
# Test in the other cluster member (Use command: clusterXL_admin down –p)
 
# Issue a cpstop/cpstart or reboot
 
# Issue a cpstop/cpstart or reboot
 
# Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389)
 
# Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389)
 
# Did I forget something?!
 
# Did I forget something?!
 
# That’s probably a bug, raise a TAC
 
# That’s probably a bug, raise a TAC
 +
 +
Confirm the reason of your packet being dropped using:
 +
  fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y'
 +
 +
If log is stuck with existing old sessions (no new logs, or still showing traffic from previous policies), clear connection's table:
 +
  fw tab -t connections -x

Latest revision as of 13:56, 22 March 2019

Back to Gaia

If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order:

  1. Policy
  2. NAT (correct NAT mode? Does it require manual proxy arp?)
  3. Routing
  4. Anti-spoofing (even from return packet, check logs in opposite direction)
  5. VPN Encryption domain (for your and remote peer)
  6. IPS (Use command: ips off)
  7. Connection Limit (fw ctl pstat)
  8. Disable SecureXL (Use command: fwaccel off)
  9. Test in the other cluster member (Use command: clusterXL_admin down –p)
  10. Issue a cpstop/cpstart or reboot
  11. Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389)
  12. Did I forget something?!
  13. That’s probably a bug, raise a TAC

Confirm the reason of your packet being dropped using:

 fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y'

If log is stuck with existing old sessions (no new logs, or still showing traffic from previous policies), clear connection's table:

 fw tab -t connections -x