Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Filipe
Participant

Debug with ikeview

Hello folks,

 

I have a simple question, I need to troubleshooting one VPN site-to-site tunnel, it's safe to use ikeview tool to analyze the logs on a heavy (a lot of traffic and users) production firewall?

This tool does not have the ability to land a firewall (Stop working on debug mode)?

 

Thanks in advance guys

0 Kudos
6 Replies
Vladimir
Champion
Champion

IkeView is an offline viewer for the files generated with VPN debug and ike debug commands "vpn debug on" and "vpn debug ikeon" or a combo command "vpn debug trunc".

 

As per CP sk63560:

Warning: Part of this SK requires the performing of a Kernel Debug. Due to the potential for high load conditions and performance impact, up to and including Kernel Panic, it is not recommended to perform a kernel debug during normal Business hours. While a kernel panic is unlikely it is recommended to perform kernel debugs during a maintenance window where issues such as high loads and kernel panics can be addressed without negatively affecting production.

0 Kudos
Luis_Filipe
Participant

Hi,

Sorry for the misunderstanding, what I meant to say is: it is safe to enable debug mode on a production firewall to analyze later with ikeview?

Thanks in advance.

0 Kudos
Vladimir
Champion
Champion

@Luis_Filipe , IMHO: nope, it is not safe to do it in production. It should be reserved for the situations when NOT doing it has worse consequences than those described in the "Warning" in my previous post.

I am sure that there are plenty of people here that may disagree with me though, and I would like for them to chime in here.

@PhoneBoy  @Danny , @HeikoAnkenbrand and @Timothy_Hall , please state your opinion on debugs in production and if you think that CP Warning is overblown.

Thanks,

Vladimir

PhoneBoy
Admin
Admin

If a firewall is heavily loaded, adding debugging messages into the mix can definitely make things worse.
Kernel debugs in particular can be problematic, debugs of individual user processes, less so.
TAC may be able to suggest the "least impactful" way to debug the problem.
0 Kudos
Danny
Champion Champion
Champion

In such situations I quickly set up a another Check Point Security Gateway (VM), enabled SIC and VPN and troubleshooted the specific VPN tunnel on this gateway to make sure nothing is impacting production. After everything is clear I switched back the VPN tunnel to the main gateway and deleted the testing machine.

0 Kudos
Timothy_Hall
Champion
Champion

As long as you are doing "vpn debug" style commands and not kernel debugs (fw ctl debug) it is pretty safe as "vpn debug" is just switching on debugs in the vpnd daemon.  Even if there is a runaway debug it will not impact the bulk of traffic operations happening in the kernel including encrypt/decrypt operations for existing VPN tunnels.  If somehow vpnd crashes or becomes impaired new IKE negotiations cannot occur, and certain types of Remote Access VPN traffic (such as Visitor mode & NAT-T) will be impacted.  However vpnd is a child process of fwd who will instantly restart vpnd if it dies.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events