Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Debug with ikeview

Hello folks,

 

I have a simple question, I need to troubleshooting one VPN site-to-site tunnel, it's safe to use ikeview tool to analyze the logs on a heavy (a lot of traffic and users) production firewall?

This tool does not have the ability to land a firewall (Stop working on debug mode)?

 

Thanks in advance guys

0 Kudos
6 Replies
Highlighted
Pearl

IkeView is an offline viewer for the files generated with VPN debug and ike debug commands "vpn debug on" and "vpn debug ikeon" or a combo command "vpn debug trunc".

 

As per CP sk63560:

Warning: Part of this SK requires the performing of a Kernel Debug. Due to the potential for high load conditions and performance impact, up to and including Kernel Panic, it is not recommended to perform a kernel debug during normal Business hours. While a kernel panic is unlikely it is recommended to perform kernel debugs during a maintenance window where issues such as high loads and kernel panics can be addressed without negatively affecting production.

0 Kudos
Highlighted

Hi,

Sorry for the misunderstanding, what I meant to say is: it is safe to enable debug mode on a production firewall to analyze later with ikeview?

Thanks in advance.

0 Kudos
Highlighted
Pearl

@Luis_Filipe , IMHO: nope, it is not safe to do it in production. It should be reserved for the situations when NOT doing it has worse consequences than those described in the "Warning" in my previous post.

I am sure that there are plenty of people here that may disagree with me though, and I would like for them to chime in here.

@PhoneBoy  @Danny , @HeikoAnkenbrand and @Timothy_Hall , please state your opinion on debugs in production and if you think that CP Warning is overblown.

Thanks,

Vladimir

Highlighted
Admin
Admin

If a firewall is heavily loaded, adding debugging messages into the mix can definitely make things worse.
Kernel debugs in particular can be problematic, debugs of individual user processes, less so.
TAC may be able to suggest the "least impactful" way to debug the problem.
0 Kudos
Highlighted
Pearl

In such situations I quickly set up a another Check Point Security Gateway (VM), enabled SIC and VPN and troubleshooted the specific VPN tunnel on this gateway to make sure nothing is impacting production. After everything is clear I switched back the VPN tunnel to the main gateway and deleted the testing machine.

0 Kudos
Highlighted

As long as you are doing "vpn debug" style commands and not kernel debugs (fw ctl debug) it is pretty safe as "vpn debug" is just switching on debugs in the vpnd daemon.  Even if there is a runaway debug it will not impact the bulk of traffic operations happening in the kernel including encrypt/decrypt operations for existing VPN tunnels.  If somehow vpnd crashes or becomes impaired new IKE negotiations cannot occur, and certain types of Remote Access VPN traffic (such as Visitor mode & NAT-T) will be impacted.  However vpnd is a child process of fwd who will instantly restart vpnd if it dies.

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com