Difference between revisions of "Troubleshooting VPN"

From Tech-Wiki
Jump to: navigation, search
Line 30: Line 30:
 
If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap
 
If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap
  
Or check the egress interface. This can be adjusted using Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface.
+
Or check the egress interface, as the firewall will always use the MainIP as source. This can be adjusted under Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface.

Revision as of 16:43, 7 April 2019

Back to Gaia

Review encryption domain, make sure only one IP matches remote peer and also refer to following SK:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI4326

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33327

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63560


In summary:

vpn debug trunc
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5 
vpn tu
 Delete all IPsec+IKE SAs for a given peer (GW)
vpn debug ikeoff
vpn debug off
vpn debug truncoff

collect files:

 $FWDIR/log/vpnd.elg
 $FWDIR/log/ike.elg

Additional debug level might be required using vpn debug mon / moff which will generate the files: $FWDIR/log/ikemonitor.snoop with IKE payload in plain text.

If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap

Or check the egress interface, as the firewall will always use the MainIP as source. This can be adjusted under Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface.