Difference between revisions of "Troubleshooting Tips"

From Tech-Wiki
Jump to: navigation, search
 
(11 intermediate revisions by the same user not shown)
Line 3: Line 3:
  
 
If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order:
 
If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order:
## Policy
+
# Policy
## Routing
+
# NAT (correct NAT mode? Does it require manual proxy arp?)
## Anti-spoofing
+
# Routing
## VPN Encryption domain
+
# Anti-spoofing (even from return packet, check logs in opposite direction)
## IPS
+
# VPN Encryption domain (for your and remote peer)
## disable fwaccel
+
# IPS (Use command: ips off)
## issue a cpstop/cpstart  
+
# Connection Limit (fw ctl pstat)
## Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389)
+
# Disable SecureXL (Use command: fwaccel off)
## Did I forget something?!
+
# Test in the other cluster member (Use command: clusterXL_admin down –p)
## That’s probably a bug, raise a TAC
+
# Issue a cpstop/cpstart or reboot
 +
# Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389)
 +
# Did I forget something?!
 +
# That’s probably a bug, raise a TAC
 +
 
 +
Confirm the reason of your packet being dropped using:
 +
  fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y'
 +
 
 +
If log is stuck with existing old sessions (no new logs, or still showing traffic from previous policies), clear connection's table:
 +
  fw tab -t connections -x

Latest revision as of 13:56, 22 March 2019

Back to Gaia

If you are facing strange behavior, in an advanced/illogic scenario, evaluate/review the following items in this order:

  1. Policy
  2. NAT (correct NAT mode? Does it require manual proxy arp?)
  3. Routing
  4. Anti-spoofing (even from return packet, check logs in opposite direction)
  5. VPN Encryption domain (for your and remote peer)
  6. IPS (Use command: ips off)
  7. Connection Limit (fw ctl pstat)
  8. Disable SecureXL (Use command: fwaccel off)
  9. Test in the other cluster member (Use command: clusterXL_admin down –p)
  10. Issue a cpstop/cpstart or reboot
  11. Consider installing the latest Jumbo hotfix accumulator or Recommended Hotfixes (per sk106162 and sk106389)
  12. Did I forget something?!
  13. That’s probably a bug, raise a TAC

Confirm the reason of your packet being dropped using:

 fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y'

If log is stuck with existing old sessions (no new logs, or still showing traffic from previous policies), clear connection's table:

 fw tab -t connections -x