topic Re: Easy VPN Debug Tool in Scripts

Easy VPN Debug Tool

HeikoAnkenbrand — Tue, 01 Dec 2020 15:34:06 GMT

CLI command

This tool creates a VPN debug with one cli command:

evpn -d -> Creates all VPN debug files ike.elg and vpnd.elg
evpn -d -m -> Creates all VPN debug files ike.elg, vpnd.elg and a fw monitor capture file of all network packages

evpn -o                      -> Shows overlaped encdoms 'overlap_encdom'
evpn -r                      -> Shows vpn routes 'fw tab -t vpn_routing -u'
evpn -t                       -> Shows tunnel list 'vpn tu tlist'
evpn -v                       -> Shows the vpn tu tool 'vpn tu'

Install

"copy and past" the following script block from "Spoiler" to the Check Point gateway:

curl_cli -k http://www.ankenbrand24.de/inst_evpn > /tmp/inst_evpn && chmod 770 /tmp/inst_evpn && /tmp/inst_evpn

Script

cat <<EOT > /usr/bin/evpn #!/bin/bash # trap ctrl-c and call ctrl_c() trap ctrl_c INT FWMONITOR="off"; FILTER_SHOW="off"; FWDEBUG="off"; FWDEBUG_SHOW="off"; NOW=\$(date +"%Y_%m_%d_%H%M"); FILE_PATH="/var/log/"; REMOTE_FILE="\$FILE_PATH\$NOW-evpn.tgz"; echo -e "\e[7m"; clear; printf '%.s-' {1..78};echo; echo '- Easy VPN Debug Tool v1.3 - Copyright Heiko Ankenbrand 2020 -'; printf '%.s-' {1..78}; echo -e "\e[0m"; echo; mSITIONAL=(); while [[ \$# -gt 0 ]] do key="\$1" case \$key in -h|--help|-\?) shift; echo;echo 'Help: ';echo; echo "-t Displays the tunnel list 'vpn tu tlist'"; echo "-r Displays the vpn routes 'fw tab -t vpn_routing -u'"; echo "-o Displays the overlaped encdoms 'overlap_encdom'"; echo "-v Displays the vpn tu tool 'vpn tu'";echo; echo "-d Execute a full VPN debug (sk34467, sk89940)"; echo " # vpn debug trunc"; echo " # vpn debug on"; echo " # vpn debug ikeon"; echo " # vpn debug on TDERROR_ALL_ALL=5"; echo " >>> VPN ISSUE <<<"; echo " CTRL-C ---> Stop debug"; echo " # vpn debug off"; echo " # vpn debug ikeoff"; echo " # vpn debug truncoff"; echo; echo "Optitions for full VPN debug:"; echo "-s Show live debug output"; echo "-m Enable fw monitor for all packets."; echo "-f <display filter> Set display filter for example 'ike'. ";echo; echo "Example filter:"; echo " CPTLS SSL VPN connections (VPN Capsule client)"; echo " ike IKE VPN connections (Site to Site VPN)";echo; exit 0; exit 0; ;; -m) shift; FWMONITOR="on"; ;; -f) FILTER_SHOW="\$2"; shift; shift; ;; -r) shift; echo; echo "VPN routing:";echo; fw tab -t vpn_routing -u | awk 'NR>3 {\$0=substr(\$0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1; echo; exit 0; ;; -v) shift; function ctrl_c() { echo; exit 0; } vpn tu; exit 0; ;; -o) shift; echo; echo "Overlapping VPN encryption domains:";echo; vpn overlap_encdom; echo; exit 0; ;; -t) shift; echo; echo "VPN tunnel list:";echo; vpn tu tlist; echo; exit 0; ;; -d) shift; FWDEBUG="on"; ;; -s) shift; FWDEBUG_SHOW="on"; ;; *) # unknown option #echo "unknown" POSITIONAL+=("\$1") # save it in an array for later shift ;; esac done if [ \$FWDEBUG == "on" ] ; then if [ \$FWMONITOR == "on" ] ; then echo "Start fw monitor for all packets. "; #echo "EASY VPN DEBUG TOOL: Start fw monitor for all packets." >> \$FWDIR/log/vpnd.elg; fw monitor -e "accept;" -o /var/log/evpn_fw_mon.cap &> /dev/null & fi vpn debug trunc vpn debug on vpn debug ikeon vpn debug on TDERROR_ALL_ALL=5; function ctrl_c() { echo; echo "VPN debug stop"; echo; vpn debug off; vpn debug ikeoff; vpn debug truncoff; echo "EASY VPN DEBUG TOOL: VPN debug stop CTRL-C" >> \$FWDIR/log/vpnd.elg echo " # vpn debug truncoff"; echo " # vpn debug off"; echo " # debug ikeoff"; echo;echo -e "Create tgz file..."; tar -czf \$REMOTE_FILE \$FWDIR/log/ike.elg* \$FWDIR/log/vpnd.elg* /var/log/evpn_fw_mon.cap &> /dev/null ; echo;echo " Tar file location: \$REMOTE_FILE";echo; echo " Included file: \$FWDIR/log/ike.elg"; echo " Included file: \$FWDIR/log/vpnd.elg"; if [ \$FWMONITOR == "on" ] ; then echo " Included file: /var/log/evpn_fw_mon.cap"; fi echo; rm /var/log/evpn_fw_mon.cap &> /dev/null ; exit 0 } # echo "EASY VPN DEBUG TOOL: VPN debug start" >> \$FWDIR/log/vpnd.elg echo "VPN debug start ";echo; echo " # vpn debug trunc"; echo " # vpn debug on"; echo " # debug ikeon"; echo " # vpn debug on TDERROR_ALL_ALL=5"; if [ \$FWMONITOR == "on" ] ; then echo " # fw monitor -e 'accept;' -o /var/log/evpn_fw_mon.cap"; fi echo;echo " >>> Wait until the issue occurs <<<"; echo -e "\e[7m"; echo " Stop VPN debug with CTRL-C "; echo -e "\e[0m"; if [ \$FWDEBUG_SHOW == "on" ] ; then echo;echo; if [ \$FILTER_SHOW == "off" ] ; then tail -f \$FWDIR/log/vpnd.elg else tail -f \$FWDIR/log/vpnd.elg | grep "\[\$FILTER_SHOW" fi else sleep 10000000; fi vpn debug off vpn debug ikeoff vpn debug truncoff; else echo;echo "Please start 'evpn -h' for help.";echo; fi EOT chmod 770 /usr/bin/evpn;

Version

1.0         06-25-2020                      EA version
1.1         06-27-2020                      bugfix
1.2         06-28-2020                      GA version
1.3         06-30-2020                      include all ike.elg* and vpnd.elg* files

Re: Easy VPN Debug Tool

Nauuk_K — Thu, 25 Jun 2020 09:57:32 GMT

Hi @HeikoAnkenbrand,

What exactly does this script do?
So I don't have to type in all VPN debug commands anymore!

Am I getting this right?

Re: Easy VPN Debug Tool

HeikoAnkenbrand — Tue, 30 Jun 2020 06:52:21 GMT

Hi @Nauuk_K,

The script executes the following vpn debug commands:

vpn debug trunc
vpn debug on
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5;

>>> Wait for the vpn error <<<

vpn debug off
vpn debug ikeoff
vpn debug truncoff;

Re: Easy VPN Debug Tool

O_H — Thu, 11 Feb 2021 20:12:59 GMT

👍

Re: Easy VPN Debug Tool

Thomas_Eichelbu — Fri, 02 Apr 2021 10:37:14 GMT

Hello Heiko,

as always a wonderful tool.
but is there way to limot the debug to only ONE tunnel peer IP or community name ?

because this command offers an option "tunnel"

vpn debug ?
Usage: vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [ -s size(Mb) ]| ike off | trunc [ DEBUG_TOPIC=level ] | truncon [ DEBUG_TOPIC=level ] | truncoff | ti meon [ SECONDS ] | timeoff | ikefail [ -s size(Mb) ]| mon | moff | say [ string ] | tunnel [ level ] >

what is | tunnel | supposed to mean?
can i filter the debug on one tunnel ?
in most time the logs are rapidly filling up and there is no chance to a for long term VPN debugging ...

would be wonderful to filter the debug output in one specfic file and focus only on one specific remote peer or tunnel name.

best regards

Re: Easy VPN Debug Tool

Timothy_Hall — Fri, 02 Apr 2021 14:03:29 GMT

Confining a vpnd debug to one tunnel or peer doesn't seem possible, the tunnel option you are referring to looks like it is just a shortcut to execute multiple debug commands (kind of like zdebug).

If you are having problems with the vpnd.elg files rolling off before you can look at them, make sure you are only debugging IKE by just using the ikeon argument which is typically all that you need in most VPN troubleshooting scenarios. Doing a vpn debug on enables IKE debugging but lots of other debug flags in vpnd as well that will seriously clutter up your debug files. Also you won't typically need to set TDERROR_ALL_ALL which will really overwhelm your output files.

If you do require that level of debugging, you can adjust how large the vpnd.elg files are allowed to get before rolling over and/or specify the number of files to keep before they are automatically removed here:

sk112515: How to increase maximum size and number of rotated $FWDIR/log/vpnd.elg log files on SecurePlatform / Gaia OS

Re: Easy VPN Debug Tool

_Daniel_ — Thu, 14 Dec 2023 03:40:04 GMT

Great tool, I wonder in case we can add ikev2.xmll to the compressed file

Re: Easy VPN Debug Tool

Marco_Valenti — Mon, 16 Feb 2026 09:28:31 GMT

Hello, since I believe this is something really useful I would like to understand if it is still valid for 81.20 with the iked change for the debug, thanks