Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jesus_Cano
Collaborator

VPN confirmation routing (sniffer)

Hi,

 

We have a VPN configured. The VPN was OK, but suddenly stop working. VPN is UP. We see in logs that the our customer traffic is "being encripted by the correct community". But in the another peer (foritgate) they don receive any traffic. 

So is there any way to check in the checkpoint that the traffic is being properly sent by the "tunnel".

We should see these icmp requests with a tcpdump?

tcpdump -any 'host 172.17.1.15'

0 Kudos
5 Replies
Tal_Paz-Fridman
Employee
Employee

Hi

Try using the command vpn tu to see the established tunnels:

Here are the options is gives:

 

********** Select Option **********

(1) List all IKE SAs
(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) * List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

(Q) Quit

*******************************************

0 Kudos
Jesus_Cano
Collaborator

I reset phase 1 y phase 2 with vpn tu and the VPN is working fine.

Why the VPN goes down when not traffic is flowing and then we need to reset tunnel to go back on???

 

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee

It's hard to tell why why the VPN tunnel goes down when there is no traffic.

If you are encounter it again I suggest opening a Support Request with TAC.

 

Best wishes

Tal

0 Kudos
Maarten_Sjouw
Champion
Champion

Check the re-key times at both ends and also ask them if they have enabled the "re-key every so many KBytes"option, the latter is dropping the tunnel from their end and tries to restart the tunnel but the CP side does not accept the drop of the tunnel and holds on to the old SA.
Regards, Maarten
0 Kudos
Jesus_Cano
Collaborator

Lifetime is the same (in seconds). Whne the issue happens, the IKE is OK:

 

Peer 82.x.x.x.x , GW-HH SAs:

IKE SA <0368bade7f351ed5,c8a7cfe223eed1f9>

IKE SA <70b5afdce3c2b4cd,d0ee1b646bc98d11>

 

But there is not phase2.

And seeing in the tunnel monitor "tunnel on gateway"in smartdasboarh, the source IP for the VPN is missing. N/A.

When we reset the tunnel with "vpn tu" the sourceIP is showed again in monitor.

  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events