Solved: Checking the State of VPN Tunnel

LostBoY · ‎2023-01-18

Hello..

I am relatively new to Checkpoint S2S VPN Tunnels..recently i created a non vti VPN tunnel (R80.40 vsx limitation). I was wondering if there is a way to check if the tunnel is stablished and UP without asking the remote side.

I went to the Smartview Monitor and under "VPNs" and "Tunnels on Community" i can see the status of tunnel is showing UP and Green..does this mean that the tunnel is active ? or is there any other way to determine this at Checkpoint end.

Chris_Atkinson · ‎2023-01-18

You also have the "vpn tu" command on the Gateway CLI to show the SA info etc.

For more info see: sk33853

cpview also provides some VPN metrics that may be helpful.

CCSM R77/R80/ELITE

View solution in original post

_Val_ · ‎2023-01-18

In addition to what @Chris_Atkinson said, yes, if SmartView Monitor shows the tunnel UP, it means it is up 🙂

View solution in original post

Chris_Atkinson · ‎2023-01-18

You also have the "vpn tu" command on the Gateway CLI to show the SA info etc.

For more info see: sk33853

cpview also provides some VPN metrics that may be helpful.

CCSM R77/R80/ELITE

LostBoY · ‎2023-01-18

Thanks..this was helpful

_Val_ · ‎2023-01-18

In addition to what @Chris_Atkinson said, yes, if SmartView Monitor shows the tunnel UP, it means it is up 🙂

CheckPointerXL · ‎2023-01-20

try this

echo;_vpn=1;if [[ -f /bin/enabled_blades ]];then if [[ `enabled_blades|tr 'A-Z' 'a-z'` != *'vpn'* ]];then _vpn=0;fi;elif [[ -f /opt/fw1/conf/active_blades.txt ]];then if [[ `grep VPN-S2S /opt/fw1/conf/active_blades.txt|awk '{print $NF}'` != '1' ]];then _vpn=0;fi;elif [[ -f /opt/fw1/conf/blades.json ]];then if [[ `jq '.data[]|select(.name=="VPN-S2S")|.enabled' /opt/fw1/conf/blades.json` != '1' ]];then _vpn=0;fi;fi;if [[ $_vpn == 1 ]];then _ha=0;if [[ `$CPDIR/bin/cpprod_util FwIsHighAvail` -eq '1' ]];then _ha=1;if [[ `cphaprob stat|grep $local$|tr 'A-Z' 'a-z'` == *'active'* ]];then _ha=0;fi;fi;if [[ $_ha == 0 ]];then if [[ -f /bin/timeout ]];then _stat=`timeout 5 stattest gettable 1.3.6.1.4.1.2620.1.9002.1 2 3 4 1 7 8 9 10 11`;else _stat=`stattest gettable 1.3.6.1.4.1.2620.1.9002.1 2 3 4 1 7 8 9 10 11`;fi;echo "$_stat"|tr ',' ' '|awk '{gsub("132","Initialized",$2)}1'|awk '{gsub("131","Down",$2)}1'|awk '{gsub("130","Phase_1",$2)}1'|awk '{gsub("129","Idle",$2)}1'|awk '{gsub("4","Destroyed",$2)}1'|awk '{gsub("3","UP",$2)}1'|awk '{gsub("0","Primary",$6)}1'|awk '{gsub("1","Backup",$6)}1'|awk '{gsub("2","On-demand",$6)}1'|awk '{gsub("0","?",$7)}1'|awk '{gsub("1","Alive",$7)}1'|awk '{gsub("2","!",$7)}1'|awk '{gsub("1","Regular",$8)}1'|awk '{gsub("2","DAIP",$8)}1'|awk '{gsub("3","ROBO",$8)}1'|awk '{gsub("4","LSV",$8)}1'|awk '{gsub("1","Regular",$9)}1'|awk '{gsub("2","Permanent",$9)}1'|sort|sed "s/^/$(hostname) <=> /"|sed '1 i\( , , , , , , , , , , )'|sed '1 i\FROM <=> TO STATE VPN_COMMUNITY PEER_IP SOURCE_IP LINK_PRIORITY PROB_STATE PEER_TYPE VPN_TYPE'|if [[ -f /bin/column ]];then column -t|sed "s/\bUP\b/\x1b[1;32m&\x1b[m/g;s/\bDown\b\|\bDestroyed\b/$\x1b[1;31m&\x1b[m/g;s/\bBackup\b\|\bAlive\b\|\bInitialized\b\|\bPhase_1\b/\x1b[1;36m&\x1b[m/g"|sed '/^(.*)$/ s/./=/g'|sed '$a+'|sed '2h;$x'|sed "s/^/ /";echo -e "\033[1;2m Reset VPN tunnel to peer : vpn tu del PEER_IP\n Show VPN tunnel details : vpn tu tlist -p PEER_IP\033[m";else cat|sed '/^(.*)$/ s/./=/g';fi;else echo -e "\033[1;31mNot an active HA member.\033[m";fi;else echo -e "\033[1;31mNot a VPN gateway.\033[m";fi;unset _vpn _ha _stat;echo

Are you a member of CheckMates?

Checking the State of VPN Tunnel