topic Re: Need to troubleshoot R81.20 S2S VPN in Firewall and Security Management

Need to troubleshoot R81.20 S2S VPN

Joe_Kanaszka — Mon, 22 Jan 2024 19:13:52 GMT

Hey gang - Happy Monday!

I need to troubleshoot a S2S VPN on an R81.20 gateway and I'd like to use the "ikeview" tool.

The problem is my gateway is only spitting out iked debug files.

Can you point me to an SK to get my R81.20 gateway to generate ike debug files?

Or...

Can someone point me to a good SK that explains how to read/interpret the new vpnd logs? From what I've read, the vpnd daemon is responsible for S2S tunnels with peer gateways that have static IPs. (applies to my situation)

We have a S2S tunnel that is occasionally going down between us and our remote office. I'd like to be able to look at a log file(s) and perhaps see if there is an issue with ike phase1, phase 2 - etc...

Hence my inquiry regarding the ikeview tool. I've heard it makes troubleshooting S2S VPN issues a bit easier.

Thanks guys.

-Joe

Re: Need to troubleshoot R81.20 S2S VPN

the_rock — Mon, 22 Jan 2024 20:44:25 GMT

Hey mate,

Personally, below is what I always do. To get basic debugs, run this:

vpn debug trunc (rotates debug files)

vpn debug ikeon

-generate some traffic (leave for 1 or 2 mins)

vpn debug ikeoff

Check $FWDIR/log for ike/vpnd.elg files

I never bother with ikeview, if stuff is failing, just check in vpn tu command if theres even any ike or ipsec SAs. I know ike.elg would show you in ikeview what packet its failing on, so say if its packet 4 phase1, thats usually PSK, but thats easy to tell anyway...just input bogus key on both ends, something easy, say password123 and if it works, bam, theres your answer.

Other than that, I would review vpnd.elg file and filter for external IP address

You can also do this

grep -i x.x.x.x $FWDIR/log/vpnd* (just replace xs with right external IP)

Whats other end of the tunnel?

Best,

Andy

Re: Need to troubleshoot R81.20 S2S VPN

the_rock — Mon, 22 Jan 2024 20:45:29 GMT

Forgot to mention, just to be safe, I would turn off all debugs at the end

fw ctl debug -x

fw ctl debug 0

Andy

Re: Need to troubleshoot R81.20 S2S VPN

genisis__ — Mon, 22 Jan 2024 20:46:31 GMT

get ikeviewer as well; you can then review the ike.elg file in that.

Re: Need to troubleshoot R81.20 S2S VPN

Joe_Kanaszka — Mon, 22 Jan 2024 20:48:52 GMT

Thank you Andy - will do.

Re: Need to troubleshoot R81.20 S2S VPN

Joe_Kanaszka — Mon, 22 Jan 2024 20:49:31 GMT

Thanks Andy - the other end is a Check Point.

Re: Need to troubleshoot R81.20 S2S VPN

the_rock — Mon, 22 Jan 2024 20:50:25 GMT

For you, ONLY still Iphone charge ; - )

Andy

Re: Need to troubleshoot R81.20 S2S VPN

the_rock — Mon, 22 Jan 2024 20:51:17 GMT

Man, you think that would be easy peasy...guess not lol

Anywho, message me offline, we can do remote if you are allowed to, Im sure we can figure it out.

Best,

Andy

Re: Need to troubleshoot R81.20 S2S VPN

Joe_Kanaszka — Mon, 22 Jan 2024 20:51:20 GMT

Nice one! 😁

Re: Need to troubleshoot R81.20 S2S VPN

Joe_Kanaszka — Mon, 22 Jan 2024 20:56:24 GMT

That's weird. No mention of remote peer in vpnd logs - only iked logs are showing my remote peer IP...

Re: Need to troubleshoot R81.20 S2S VPN

the_rock — Mon, 22 Jan 2024 20:59:36 GMT

Do vpn tu on CP side (expoert mode) and see if even phase 1 comes up. Theres an option for specific gateway there.

Andy

Re: Need to troubleshoot R81.20 S2S VPN

Joe_Kanaszka — Mon, 22 Jan 2024 21:03:46 GMT

Thanks Andy. The #vpn tu command works once the tunnel has been brought back up again by my colleague in the remote office. I can see my remote peer and the SAs.

The issue we are having is that the tunnel is going down sporadically and I'm trying to figure out why it's going down....

Trying to figure out the cause when the tunnel goes down.

Thanks again Andy.

Re: Need to troubleshoot R81.20 S2S VPN

Joe_Kanaszka — Mon, 22 Jan 2024 21:14:24 GMT

And I just went back into my gateway. My S2S logs are showing up in iked. 🤔

Re: Need to troubleshoot R81.20 S2S VPN

the_rock — Mon, 22 Jan 2024 21:33:58 GMT

I think I remember this, you asked about it couple of weeks back when I told you to make sure setting keep ike sas was on in global properties, as well as connection persistence in gateway properties to keep all connections. Did you try that and if so, did it help?

Andy