Create a Post
Showing results for 
Search instead for 
Did you mean: 

site to site VPN

For IPsec tunnel troubleshooting, after disabling the secureXL, when I run fwmonitor  with src and dest IP address,what should I expect to see?

will I see both (i, I) and Both (o,O) for the  traffic?

3 Replies

I always like to get packet captures without any filtering and I will filter later on in wireshark. 

For R77.30 and lower versions, if you are filtering for the interesting traffic src and destination you suppose to see the clear packet in the following positions i I o and O you suppose to see the ESP packet which will have the public IPs of the endpoint of the vpn.

For R80.10 since Corexl Is enabled for VPN in fw monitor checkpoint introduced 2 other positions e and E. because the traffic will be sent to a core that handles the connecion after that it will be forwarded to another core to do the encryption

you suppose to see the clear packet in position i I o O e and you will see the esp packet at E position.



will I see "e" also ?

0 Kudos

If you take a look on whole chain in your actual system, then you can se it is possible to run fw monitor on much more places then just default state.

Here is chain example (note - Acceleration enabled):

[Expert@FWHOST:0]# fw ctl chain
in chain (15):
0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: - 2000000 (f544bb00) (00000003) vpn decrypt (vpn)
2: - 1fffffa (f5466460) (00000001) l2tp inbound (l2tp)
3: - 1fffff8 (f5b3aca0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff2 (f54888f0) (00000003) vpn tagging inbound (tagging)
5: - 1fffff0 (f544a4a0) (00000003) vpn decrypt verify (vpn_ver)
6: - 1000000 (f5c0d820) (00000003) SecureXL conn sync (secxl_sync)
7: 0 (f5ad9390) (00000001) fw VM inbound (fw)
8: 2000000 (f5449a60) (00000003) vpn policy inbound (vpn_pol)
9: 10000000 (f5c18070) (00000003) SecureXL inbound (secxl)
10: 7f600000 (f5b2d990) (00000001) fw SCV inbound (scv)
11: 7f730000 (f5d40760) (00000001) passive streaming (in) (pass_str)
12: 7f750000 (f5f53920) (00000001) TCP streaming (in) (cpas)
13: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (in) (ipopt_res)
14: 7fb00000 (f633d240) (00000001) HA Forwarding (ha_for)
out chain (13):
0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1ffffff (f5449260) (00000003) vpn nat outbound (vpn_nat)
2: - 1fffff0 (f5f53bb0) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (f5d40760) (00000001) passive streaming (out) (pass_str)
4: - 1ff0000 (f54888f0) (00000003) vpn tagging outbound (tagging)
5: - 1f00000 (f5b3aca0) (00000001) Stateless verifications (out) (asm)
6: 0 (f5ad9390) (00000001) fw VM outbound (fw)
7: 2000000 (f5449270) (00000003) vpn policy outbound (vpn_pol)
8: 10000000 (f5c18070) (00000003) SecureXL outbound (secxl)
9: 1ffffff0 (f54670d0) (00000001) l2tp outbound (l2tp)
10: 20000000 (f544c600) (00000003) vpn encrypt (vpn)
11: 7f700000 (f5f53df0) (00000001) TCP streaming post VM (cpas)
12: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (out) (ipopt_res)

SK for FW monitor is much more fine than in the past. So try to look there for examples and syntax - sk30583


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events