Create a Post
Showing results for 
Search instead for 
Did you mean: 

VPN confirmation routing (sniffer)



We have a VPN configured. The VPN was OK, but suddenly stop working. VPN is UP. We see in logs that the our customer traffic is "being encripted by the correct community". But in the another peer (foritgate) they don receive any traffic. 

So is there any way to check in the checkpoint that the traffic is being properly sent by the "tunnel".

We should see these icmp requests with a tcpdump?

tcpdump -any 'host'

0 Kudos
5 Replies


Try using the command vpn tu to see the established tunnels:

Here are the options is gives:


********** Select Option **********

(1) List all IKE SAs
(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) * List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

(Q) Quit


0 Kudos

I reset phase 1 y phase 2 with vpn tu and the VPN is working fine.

Why the VPN goes down when not traffic is flowing and then we need to reset tunnel to go back on???



0 Kudos

It's hard to tell why why the VPN tunnel goes down when there is no traffic.

If you are encounter it again I suggest opening a Support Request with TAC.


Best wishes


0 Kudos

Check the re-key times at both ends and also ask them if they have enabled the "re-key every so many KBytes"option, the latter is dropping the tunnel from their end and tries to restart the tunnel but the CP side does not accept the drop of the tunnel and holds on to the old SA.
Regards, Maarten
0 Kudos

Lifetime is the same (in seconds). Whne the issue happens, the IKE is OK:


Peer 82.x.x.x.x , GW-HH SAs:

IKE SA <0368bade7f351ed5,c8a7cfe223eed1f9>

IKE SA <70b5afdce3c2b4cd,d0ee1b646bc98d11>


But there is not phase2.

And seeing in the tunnel monitor "tunnel on gateway"in smartdasboarh, the source IP for the VPN is missing. N/A.

When we reset the tunnel with "vpn tu" the sourceIP is showed again in monitor.


0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events