topic Re: VPN Troubleshooting Commands in Firewall and Security Management

VPN Troubleshooting Commands

Ramawatar_Maury — Thu, 12 Jul 2018 11:49:10 GMT

Commands	Descriptions
*vpn tu*	*VPN utility, allows you to rekey vpn*
*vpn ipafile_check ipassignment.conf detail‏*	*Verifies the ipassignment.conf file*
*dtps lic*	*show desktop policy license status*
*cpstat -f all polsrv*	*show status of the dtps*
*vpn shell*	*Start the VPN shell*
*vpn shell /tunnels/delete/IKE/peer/[peer ip]*	*delete IKE SA*
*vpn shell /tunnels/delete/IPsec/peer/[peer ip]*	*delete Phase 2 SA*
*vpn shell /show/tunnels/ike/peer/[peer ip]*	*show IKE SA*
*vpn shell /show/tunnels/ipsec/peer/[peer ip]*	*show Phase 2 SA*
*vpn shell show interface detailed [VTI name]*	*show VTI detail*
*vpn debug ikeon\|ikeoff*	*Debug IKE into $FWDIR/log/ike.elg. Analyze ike.elg with the IKEView tool*
*vpn debug on\|off*	*Debug VPN into $FWDIR/log/vpnd.elg. Analyze vpnd.elg with the IKEView tool*
*vpn debug trunc*	*Truncate and stamp logs, enable IKE & VPN debug*
*vpn drv stat*	*Show status of VPN-1 kernel module*
*vpn overlap_encdom*	*Show, if any, overlapping VPN domains*
*vpn macutil <user>*	*Show MAC for Secure Remote user <user>*
*vpn ver [-k]*	*Check VPN-1 major and minor version as well as build number and latest hotfix. Use -k for kernal version*

Re: VPN Troubleshooting Commands

Petr_Hantak — Thu, 12 Jul 2018 12:51:18 GMT

Nice summary. Speaking about debug commands procedure is written in more SK articles. At least good one for start is the sk33327 - How to generate a valid VPN debug, IKE debug and FW Monitor

Re: VPN Troubleshooting Commands

Gaurav_Pandya — Fri, 13 Jul 2018 18:47:14 GMT

Good commands and lastly IKE Info Viewer is the best tool to troubleshoot VPN.

Re: VPN Troubleshooting Commands

Jesse — Wed, 13 Mar 2019 15:49:37 GMT

So looking at the information on the "IKEView Tool" in sk30994, it seems it can only display information captured in a debug. Is there a way to see in realtime the remaining key lifetimes on Phase1 and Phase2 SAs, or other details such as Phase2 SA local and remote identities? This could easily be done on ASA, but I can't seem to find it on Check Point gateways.

Re: VPN Troubleshooting Commands

Robert_Dietrich — Tue, 18 Jun 2019 12:24:37 GMT

Same Question!

Re: VPN Troubleshooting Commands

gerb — Fri, 25 Oct 2024 18:28:21 GMT

apparently not anymore

Re: VPN Troubleshooting Commands

Lesley — Mon, 28 Oct 2024 21:53:00 GMT

You kick and ancient topic from 2018.

Here is the relevant SK made for this time period:

https://support.checkpoint.com/results/sk/sk180488

Re: VPN Troubleshooting Commands

Matlu — Sat, 31 May 2025 04:27:42 GMT

Hello,
Is there any command that captures the traffic on both P1 and P2?
Is it possible to check it through the CLI, or do you necessarily have to capture the data and check it in IKEView Tool?

Re: VPN Troubleshooting Commands

PhoneBoy — Mon, 02 Jun 2025 19:46:46 GMT

It's possible one of the various VPN kernel debugs might show you this information.
Capturing the relevant traffic and viewing it into IKEView is probably quicker/easier.

Re: VPN Troubleshooting Commands

Matlu — Fri, 19 Sep 2025 05:14:39 GMT

Hello, @PhoneBoy
When you have VPN tunnel errors with “intermittent” drops that occurred a couple of days ago, is it possible to detect the root cause of these problems in the ‘messages’ or “dmesg” files of our FW?
Or is this information stored somewhere else?
Cheers.

Re: VPN Troubleshooting Commands

PhoneBoy — Fri, 19 Sep 2025 16:49:55 GMT

Issues with the VPN would not likely manifest itself in Gaia OS logs.
Possibly cpview has something and it might also show in the regular access policy logs (depending on the nature of the failure).