Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Easy VPN Debug Tool

Jump to solution
CLI command

This tool creates a VPN debug with one cli command:

evpn -d                     -> Creates all VPN debug files ike.elg and vpnd.elg
evpn -d -m               -> Creates all VPN debug files ike.elg, vpnd.elg and a fw monitor capture file of all network packages

evpn -o                      -> Shows overlaped encdoms 'overlap_encdom'
evpn -r                      -> Shows vpn routes 'fw tab -t vpn_routing -u'
evpn -t                       -> Shows tunnel list 'vpn tu tlist'
evpn -v                       -> Shows the vpn tu tool 'vpn tu'

evpn2.jpg

Install

"copy and past" the following script block from "Spoiler" to the Check Point gateway:

Spoiler
curl_cli -k http://www.ankenbrand24.de/inst_evpn > /tmp/inst_evpn && chmod 770 /tmp/inst_evpn && /tmp/inst_evpn
Script
Spoiler
cat <<EOT > /usr/bin/evpn
#!/bin/bash

# trap ctrl-c and call ctrl_c()
trap ctrl_c INT
FWMONITOR="off";
FILTER_SHOW="off";
FWDEBUG="off";
FWDEBUG_SHOW="off";
NOW=\$(date +"%Y_%m_%d_%H%M");
FILE_PATH="/var/log/";
REMOTE_FILE="\$FILE_PATH\$NOW-evpn.tgz";
echo -e "\e[7m";
clear;
printf '%.s-' {1..78};echo;
echo '- Easy VPN Debug Tool v1.3                 - Copyright Heiko Ankenbrand 2020 -';
printf '%.s-' {1..78};
echo -e "\e[0m";
echo;
mSITIONAL=();
while [[ \$# -gt 0 ]]
do
key="\$1"
case \$key in
    -h|--help|-\?)
       shift;
       echo;echo 'Help: ';echo;
       echo "-t                         Displays the tunnel list 'vpn tu tlist'";
       echo "-r                         Displays the vpn routes 'fw tab -t vpn_routing -u'";
       echo "-o                         Displays the overlaped encdoms 'overlap_encdom'";
       echo "-v                         Displays the vpn tu tool 'vpn tu'";echo;
       echo "-d                         Execute a full VPN debug (sk34467, sk89940)";
       echo "                             # vpn debug trunc";
       echo "                             # vpn debug on";
       echo "                             # vpn debug ikeon";
       echo "                             # vpn debug on TDERROR_ALL_ALL=5";
       echo "                             >>> VPN ISSUE <<<";
       echo "                             CTRL-C        ---> Stop debug";
       echo "                             # vpn debug off";
       echo "                             # vpn debug ikeoff";
       echo "                             # vpn debug truncoff";
       echo;
       echo "Optitions for full VPN debug:";
       echo "-s                         Show live debug output";
       echo "-m                         Enable fw monitor for all packets.";
       echo "-f <display filter>        Set display filter for example 'ike'. ";echo;
       echo "Example filter:";
       echo "           CPTLS           SSL VPN connections (VPN Capsule client)";
       echo "           ike             IKE VPN connections (Site to Site VPN)";echo;
       exit 0;

       exit 0;
    ;;
    -m)
       shift;
       FWMONITOR="on";
    ;;
    -f)
       FILTER_SHOW="\$2";
       shift;
       shift;
    ;;
    -r)
       shift;
       echo; echo "VPN routing:";echo;
       fw tab -t vpn_routing -u | awk 'NR>3 {\$0=substr(\$0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1;
       echo;
       exit 0;
    ;;
     -v)
       shift;
       function ctrl_c() {
                echo;
                exit 0;
           }
       vpn tu;
       exit 0;
    ;;
     -o)
       shift;
       echo; echo "Overlapping VPN encryption domains:";echo;
       vpn overlap_encdom;
       echo;
       exit 0;
    ;;
     -t)
       shift;
       echo; echo "VPN tunnel list:";echo;
       vpn tu tlist;
       echo;
       exit 0;
    ;;
     -d)
       shift;
       FWDEBUG="on";
    ;;
    
     -s)
       shift;
       FWDEBUG_SHOW="on";
    ;;

    *)    # unknown option
    #echo "unknown"
    POSITIONAL+=("\$1") # save it in an array for later
    shift
    ;;
esac
done
if [ \$FWDEBUG == "on" ] ;
   then
   if [ \$FWMONITOR == "on" ] ;
      then
        echo "Start fw monitor for all packets. ";
        #echo "EASY VPN DEBUG TOOL: Start fw monitor for all packets." >> \$FWDIR/log/vpnd.elg;
        fw monitor -e "accept;" -o /var/log/evpn_fw_mon.cap &> /dev/null &
   fi
   vpn debug trunc
   vpn debug on
   vpn debug ikeon
   vpn debug on TDERROR_ALL_ALL=5;
   
   function ctrl_c() {
        echo; echo "VPN debug stop"; echo;
        vpn debug off;
        vpn debug ikeoff;
        vpn debug truncoff;
        echo "EASY VPN DEBUG TOOL: VPN debug stop CTRL-C" >> \$FWDIR/log/vpnd.elg
        echo "   # vpn debug truncoff";
        echo "   # vpn debug off";
        echo "   # debug ikeoff";
        echo;echo -e "Create tgz file...";
        tar -czf \$REMOTE_FILE \$FWDIR/log/ike.elg* \$FWDIR/log/vpnd.elg* /var/log/evpn_fw_mon.cap &> /dev/null ;
        echo;echo "   Tar file location: \$REMOTE_FILE";echo;
        echo "   Included file: \$FWDIR/log/ike.elg";
        echo "   Included file: \$FWDIR/log/vpnd.elg";
        if [ \$FWMONITOR == "on" ] ;
           then
              echo "   Included file: /var/log/evpn_fw_mon.cap"; 
        fi
        echo;
        rm /var/log/evpn_fw_mon.cap &> /dev/null ;
        exit 0
   }
   # echo "EASY VPN DEBUG TOOL: VPN debug start" >> \$FWDIR/log/vpnd.elg
   echo "VPN debug start ";echo;
   echo "   # vpn debug trunc";
   echo "   # vpn debug on";
   echo "   # debug ikeon";
   echo "   # vpn debug on TDERROR_ALL_ALL=5";
   if [ \$FWMONITOR == "on" ] ;
      then
      echo "   # fw monitor -e 'accept;' -o /var/log/evpn_fw_mon.cap";
   fi
   echo;echo " >>> Wait until the issue occurs <<<";
   echo -e "\e[7m";
   echo "      Stop VPN debug with CTRL-C     ";
   echo -e "\e[0m";
   
   if [ \$FWDEBUG_SHOW == "on" ] ;
      then
        echo;echo;
        if [ \$FILTER_SHOW == "off" ] ;
           then
             tail -f \$FWDIR/log/vpnd.elg
         else
             tail -f \$FWDIR/log/vpnd.elg | grep "\[\$FILTER_SHOW"
         fi
      else 
      sleep 10000000;
   fi 
   vpn debug off
   vpn debug ikeoff
   vpn debug truncoff;
   
else
   echo;echo "Please start 'evpn -h' for help.";echo;
fi
EOT
chmod 770 /usr/bin/evpn;

 

 

Version

1.0         06-25-2020                      EA version
1.1         06-27-2020                      bugfix
1.2         06-28-2020                      GA version
1.3         06-30-2020                      include all ike.elg* and vpnd.elg* files

Tags (1)
1 Solution

Accepted Solutions
Highlighted

Hi @Nauuk_K,

The script executes the following vpn debug commands:

vpn debug trunc
vpn debug on
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5;

>>> Wait for the vpn error <<<

vpn debug off
vpn debug ikeoff
vpn debug truncoff;

View solution in original post

Tags (1)
2 Replies
Highlighted
Iron

Hi @HeikoAnkenbrand,

What exactly does this script do?
So I don't have to type in all VPN debug commands anymore!

Am I getting this right?

 

Highlighted

Hi @Nauuk_K,

The script executes the following vpn debug commands:

vpn debug trunc
vpn debug on
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5;

>>> Wait for the vpn error <<<

vpn debug off
vpn debug ikeoff
vpn debug truncoff;

View solution in original post

Tags (1)