Difference between revisions of "Troubleshooting VPN"

From Tech-Wiki
Jump to: navigation, search
(Created page with "Category:Check Point '''Back to Gaia''' Refer to following SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutio...")
 
 
(8 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
'''[[Check Point#Gaia|Back to Gaia]]'''
 
'''[[Check Point#Gaia|Back to Gaia]]'''
  
Refer to following SK:
+
Review encryption domain, make sure only one IP matches remote peer and also refer to following SK:
  
 
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI4326
 
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI4326
Line 9: Line 9:
  
 
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63560
 
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63560
 +
 +
 +
In summary:
 +
 +
vpn debug trunc
 +
vpn debug ikeon
 +
vpn debug on TDERROR_ALL_ALL=5
 +
vpn tu
 +
  Delete all IPsec+IKE SAs for a given peer (GW)
 +
vpn debug ikeoff
 +
vpn debug off
 +
vpn debug truncoff
 +
 +
collect files:
 +
  $FWDIR/log/vpnd.elg
 +
  $FWDIR/log/ike.elg
 +
 +
Additional debug level might be required using vpn debug mon / moff which will generate the files: $FWDIR/log/ikemonitor.snoop with IKE payload in plain text.
 +
 +
If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap
 +
 +
Or check the egress interface, as the firewall will always use the MainIP as source. This can be adjusted under Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface.
 +
 +
In order to validate VPN routing, use the command below:
 +
fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' \
 +
| xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1

Latest revision as of 17:00, 7 April 2019

Back to Gaia

Review encryption domain, make sure only one IP matches remote peer and also refer to following SK:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI4326

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33327

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63560


In summary:

vpn debug trunc
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5 
vpn tu
 Delete all IPsec+IKE SAs for a given peer (GW)
vpn debug ikeoff
vpn debug off
vpn debug truncoff

collect files:

 $FWDIR/log/vpnd.elg
 $FWDIR/log/ike.elg

Additional debug level might be required using vpn debug mon / moff which will generate the files: $FWDIR/log/ikemonitor.snoop with IKE payload in plain text.

If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap

Or check the egress interface, as the firewall will always use the MainIP as source. This can be adjusted under Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface.

In order to validate VPN routing, use the command below:

fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' \
| xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1