Difference between revisions of "Troubleshooting VPN"
From Tech-Wiki
(Created page with "Category:Check Point '''Back to Gaia''' Refer to following SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutio...") |
|||
(8 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
'''[[Check Point#Gaia|Back to Gaia]]''' | '''[[Check Point#Gaia|Back to Gaia]]''' | ||
− | + | Review encryption domain, make sure only one IP matches remote peer and also refer to following SK: | |
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI4326 | https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI4326 | ||
Line 9: | Line 9: | ||
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63560 | https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63560 | ||
+ | |||
+ | |||
+ | In summary: | ||
+ | |||
+ | vpn debug trunc | ||
+ | vpn debug ikeon | ||
+ | vpn debug on TDERROR_ALL_ALL=5 | ||
+ | vpn tu | ||
+ | Delete all IPsec+IKE SAs for a given peer (GW) | ||
+ | vpn debug ikeoff | ||
+ | vpn debug off | ||
+ | vpn debug truncoff | ||
+ | |||
+ | collect files: | ||
+ | $FWDIR/log/vpnd.elg | ||
+ | $FWDIR/log/ike.elg | ||
+ | |||
+ | Additional debug level might be required using vpn debug mon / moff which will generate the files: $FWDIR/log/ikemonitor.snoop with IKE payload in plain text. | ||
+ | |||
+ | If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap | ||
+ | |||
+ | Or check the egress interface, as the firewall will always use the MainIP as source. This can be adjusted under Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface. | ||
+ | |||
+ | In order to validate VPN routing, use the command below: | ||
+ | fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' \ | ||
+ | | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1 |
Latest revision as of 17:00, 7 April 2019
Review encryption domain, make sure only one IP matches remote peer and also refer to following SK:
In summary:
vpn debug trunc vpn debug ikeon vpn debug on TDERROR_ALL_ALL=5 vpn tu Delete all IPsec+IKE SAs for a given peer (GW) vpn debug ikeoff vpn debug off vpn debug truncoff
collect files:
$FWDIR/log/vpnd.elg $FWDIR/log/ike.elg
Additional debug level might be required using vpn debug mon / moff which will generate the files: $FWDIR/log/ikemonitor.snoop with IKE payload in plain text.
If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap
Or check the egress interface, as the firewall will always use the MainIP as source. This can be adjusted under Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface.
In order to validate VPN routing, use the command below:
fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' \ | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1