topic Re: Getting VPN Domain Configuration via Web Services API when Interoperable Devices are used in API / CLI Discussion

Getting VPN Domain Configuration via Web Services API when Interoperable Devices are used

johnnyringo — Mon, 04 Sep 2023 17:07:02 GMT

I've been starting to go more in depth with the Web Services API in R81.10 and to build some tools around it. I'm especially interested in something that could retrieve the VPN Domain for all VPN Communities since this is a common misconfiguration (think an equivalent of the ever-popular One-liner to show VPN Topology (VPN Domain) on gateways script)

First, the good news. I am able to get the VPN Domain for VPN Communities where the VPN domain is user-defined. Something like this:

show-vpn-communities-star - List all Star VPN Communities
show-vpn-community-star - Get details for specific Star Community

If the VPN Domain has been user-defined, there will be an override-vpn-domains object with a list of gateways with the following attributes:

gateway - object with the name, type, and ipv4-address of the gateway
vpn-domain - network or group that is the VPN domain. Details can be retrieved with show-network or show-group

Great! Problem is, I can't figure how to get same for communities where the default VPN Domain is used. Root problem here is while show-simple-cluster and show-simple-gateway have vpn-settings -> vpn-domain in the JSON response, I don't see that for a VPN Community with an Interoperable device.

Is there a separate command go get the details for an Interoperable Device that I'm just missing? Or is it not possible?

Re: Getting VPN Domain Configuration via Web Services API when Interoperable Devices are used

Timothy_Hall — Mon, 04 Sep 2023 17:26:36 GMT

API version 1.9 (R81.20) and higher support this through the add/show/set/delete interoperable-device commands. Also see my article here:

Functionality - Mgmt API vs. SmartConsole

Re: Getting VPN Domain Configuration via Web Services API when Interoperable Devices are used

PhoneBoy — Tue, 05 Sep 2023 14:11:14 GMT

You may be able to find the information in R81.10 using generic-object API calls.
There is no formal documentation on this endpoint (nor is there any support for it), though there are several usage examples on CheckMates.

Your best bet is to upgrade to R81.20 and use the formally supported API endpoints.

Re: Getting VPN Domain Configuration via Web Services API when Interoperable Devices are used

johnnyringo — Tue, 05 Sep 2023 17:05:44 GMT

Ahh yeah I was afraid of that. Just upgraded to R81.10 (API v1.8) a few months ago; R81.20 wasn't planned until next year but I can bump it up in priority.

This management server is in Google Cloud, so the upgrade process is non-trivial.

Re: Getting VPN Domain Configuration via Web Services API when Interoperable Devices are used

johnnyringo — Tue, 05 Sep 2023 17:10:05 GMT

Yes, I know R81.20 is now recommended so an upgrade is planned within the next 6 months. It unfortunately requires a maintenance window as some of the cluster member hostnames on the VM don't perfectly match the name in SmartConsole and this have to go through a SIC reset and failover process.

Policy installation fails with "TCP connection failure port=18191 [error no. 10]" and "Load on Module failed - no memory"