Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_A
Explorer
Jump to solution

Viewing concurrent tunnels information

Hello all,

I'm hoping someone can provide me with some information on how I can obtain a specific statistic. I'm looking to understand the level at which the 'concurrent tunnels' is running at so that I can compare this to the limit that is in place.

I've been able to view the number of concurrent 'connections' but I need to run the equivalent for concurrent tunnels. If someone could advise on any commands that I could run, or whether this information is accessible elsewhere, that would be great.

Thanks in advance.

1 Solution

Accepted Solutions
Louis_Poulin
Collaborator

The reason why the tunnel was shown as "Down" is because it is configured as a "Permanent" tunnel when it should not have been configured as such.

Permanent tunnels are for Check Point to Check Point VPN tunnels. In this case, there is something else than a Check Point firewall at the other end.

From the documentation:

" A VPN tunnel is monitored by periodically sending "tunnel test" packets. As long as responses to the packets are received the VPN tunnel is considered "up." If no response is received within a given time period, the VPN tunnel is considered "down." Permanent Tunnels can only be established between Check Point Security Gateways."

View solution in original post

15 Replies
Timothy_Hall
Champion
Champion

Keep in mind that there are IKE/P1 and IPSEC/P2 tunnels for each connection to a VPN peer, along with inbound and outbound tunnels/SAs for each.  Every individual tunnel/SA is represented by a SPI.

If you are using R80.10 on your firewall, this is pretty easy though: vpn tu mstats, and use command vpn tu tlist for more specific information about a tunnel.  

For R77.30 and earlier you could use:

fw tab -s -t inbound_SPI

fw tab -s -t outbound_SPI

Also give this a try:

fw tab -u -t peers_count

Check out this rather lengthy but invaluable SK for more information: sk104760: ATRG: VPN Core

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Vladimir
Champion
Champion

Good place to start will be by using:

cpstat -f all vpn

from Clish.

For tunnel manipulation, you can use the:

vpn tu

from Expert mode.

And if you are working with remote access vpns specifically, use:

pep show user all

from Expert mode

Cheers,

Vladimir

PhoneBoy
Admin
Admin

There's also SmartView Monitor.

In R80+: 

  • Open SmartConsole > Logs & Monitor.
  • Open the catalog (new tab).
  • Click Tunnel & User Monitoring.

See also: Logging and Monitoring R80.10 (Part of Check Point Infinity) 

0 Kudos
Louis_Poulin
Collaborator

Hello Dameon,

I'm trying to follow your advice, but I run into particular behavior.

In SmartView Monitor R80.10 using VSX gateways, when I go to Tunnels -> Permanent Tunnels for example, I can see a list of my VPN tunnels, but it says their state is all "Down", when in fact they are all up and running.

Furthermore, if I want to see the "Top IP", I get the error message shown in this print screen:

Any ideas? Thanks in advance!

0 Kudos
PhoneBoy
Admin
Admin
Is Monitoring enabled on the gateway, as noted in the error message?
0 Kudos
Louis_Poulin
Collaborator

Yes, it is enabled, sorry I forgot to mention it.

We are talking about this, right?

PhoneBoy
Admin
Admin

That's what I was talking about.

Maybe worth a TAC case.

0 Kudos
Steve_Vandegaer
Contributor
0 Kudos
Alexei_Cornea
Explorer

Hello,

In my SmartView Monitor I see only a few options in the left menu, how I can have all that are shown in your screenshot?

Thanks,

Alexei

 

Louis_Poulin
Collaborator

The reason why the tunnel was shown as "Down" is because it is configured as a "Permanent" tunnel when it should not have been configured as such.

Permanent tunnels are for Check Point to Check Point VPN tunnels. In this case, there is something else than a Check Point firewall at the other end.

From the documentation:

" A VPN tunnel is monitored by periodically sending "tunnel test" packets. As long as responses to the packets are received the VPN tunnel is considered "up." If no response is received within a given time period, the VPN tunnel is considered "down." Permanent Tunnels can only be established between Check Point Security Gateways."

Mike_Jensen
Advisor

Is there a command I can run on my 80.30 gateway to see encrypt / decrypt traffic or tx and rx for a specific IPSsec VPN peer?

It seems cpstat -f all vpn shows me the info for all, I want to just look at one peer gateway / vpn at a time to see how much traffic is traversing inbound and out at any given time.

0 Kudos
Timothy_Hall
Champion
Champion

Not sure if it still works, but try this from the SmartView Monitor.  The monitoring blade will most definitely need to be enabled on the relevant gateway; this view will show top connections and a summary of all bandwidth usage by the VPN tunnel in the upper-right corner of the report.

vpn.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Mike_Jensen
Advisor

I am assuming I will need a monitoring blade license?

0 Kudos
Timothy_Hall
Champion
Champion

Yes and monitoring enabled on the gateway/cluster object.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
gracemaina
Explorer

Thanks a lot for this useful information. I was actually experiencing the same scenario and disabling the Permanent Tunnels has worked for my case.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events