This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
babicmilan
Collaborator
‎2023-10-02 12:50 AM

S2S VPN tunnel

How to find for S2S VPN tunnel for defined date,  time when tunnel is created, time when is down in logs?


For example, I want to find in logs when S2S VPN tunnel is created on 29.09.2023. for peer 81.93.73.155?

 

Is it enough to find IKE logs for peer 81.93.73.155 on date 29.09.2023.?

 

Best regards

 

 

0 Kudos
13 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-02 01:10 AM

Look for Key Install Events - you should see at least one Key Install for Quick Mode and one for Main Mode complete. Also tunnel down is a Key Install log.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
babicmilan
Collaborator
‎2023-10-02 02:12 AM
In response to G_W_Albrecht

29 Sep 23, 9:09:49 AM Informational Exchange Received Notification from Peer: Responder Lifetime(phase1)

29 Sep 23, 9:29:16 AM Informational Exchange Received Notification from Peer: Responder Lifetime(phase1)
29 Sep 23, 9:29:16 AM Quick Mode Received Notification from Peer: invalid id information
29 Sep 23, 9:29:16 AM Informational Exchange Received Delete IKE-SA from Peer: 81.93.73.155; Cookies: 6288df3d467a54f9-24dc01cea79c573e

29 Sep 23, 9:32:28 AM Informational Exchange Received Notification from Peer: Responder Lifetime(phase1)
29 Sep 23, 9:32:28 AM Quick Mode Received Notification from Peer: invalid id information
29 Sep 23, 9:32:28 AM Informational Exchange Received Delete IKE-SA from Peer: 81.93.73.155; Cookies: cfee3d114ade6c26-7164d994f8d95749 

29 Sep 23, 9:35:17 AM Quick Mode Received Notification from Peer: invalid id information
29 Sep 23, 9:35:17 AM Informational Exchange Received Delete IKE-SA from Peer: 81.93.73.155; Cookies: 5fa2520d840b9d04-82eb57ebb5e31265 

29 Sep 23, 9:43:41 AM Informational Exchange Received Notification from Peer: Responder Lifetime(phase1)
29 Sep 23, 9:43:41 AM Quick Mode Received Notification from Peer: invalid id information
29 Sep 23, 9:43:41 AM Informational Exchange Received Delete IKE-SA from Peer: 81.93.73.155; Cookies: 5e3d5c7ac2ec55a4-ed9a9498f5bf9339 

29 Sep 23, 9:45:13 AM Informational Exchange Received Notification from Peer: Responder Lifetime(phase1)


0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-02 02:19 AM
In response to babicmilan

So what ? You did not write that VPN does not work, look at https://support.checkpoint.com/results/sk/sk108600

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
babicmilan
Collaborator
‎2023-10-02 02:18 AM
In response to G_W_Albrecht

Hello, I send to you logs on 29 Sep 23 for peer 81.93.73.155 between 6-11 AM

Please let me know on which time S2S VPN tunnel is created and when is down?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-02 03:25 AM
In response to babicmilan

Please explain what you want to achieve - and why i should analyze your logs without cause ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
babicmilan
Collaborator
‎2023-10-02 05:03 AM
In response to G_W_Albrecht

Hello, regarding this logs, I want to know when S2S tunnel was up and when was down.

Is it possible to know this information based on "Key Install" logs.

 

Best regards.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-02 05:47 AM
In response to babicmilan

Easy - it was down starting somewhere before 29 Sep 23, 9:29:16 until before 29 Sep 23, 9:45:13.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-02 06:35 AM
In response to babicmilan

The Key Install logs are a good indication of when the tunnel came up.
Tunnels "exist" so long as there is traffic flowing through them and/or the various IPsec timers do not expire.
Short of some sort of debugging mode, I don't believe we log anything that might be interpreted as a "tunnel down" event.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-10-02 06:46 AM
In response to babicmilan

See...unfortunately, CP does not have an easy way of telling such info, unlike some other fw vendors, so what @G_W_Albrecht gave you is probably your best bet.

You can verify with TAC to see if they have better method, but personally, I never heard of any.

Andy

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-02 11:59 PM
In response to the_rock

I found customers using ping from one peer network node to another to monitor this 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-10-03 04:52 AM
In response to G_W_Albrecht

I would NOT call such a method a monitoring tool 🤣🤣🤣

Andy

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-03 06:34 AM
In response to the_rock

Maybe not - but it does

- try to keep the tunnel up all the time

- logs when the  tunnel goes down

- logs when the tunnel came up again

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-10-03 09:21 AM
In response to G_W_Albrecht

I guess thats the best method in this case lol

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events