This tool creates a VPN debug with one cli command:
evpn -d -> Creates all VPN debug files ike.elg and vpnd.elg evpn -d -m -> Creates all VPN debug files ike.elg, vpnd.elg and a fw monitor capture file of all network packages
evpn -o -> Shows overlaped encdoms 'overlap_encdom' evpn -r -> Shows vpn routes 'fw tab -t vpn_routing -u' evpn -t -> Shows tunnel list 'vpn tu tlist' evpn -v -> Shows the vpn tu tool 'vpn tu'
Install
"copy and past" the following script block from "Spoiler" to the Check Point gateway:
cat <<EOT > /usr/bin/evpn
#!/bin/bash
# trap ctrl-c and call ctrl_c()
trap ctrl_c INT
FWMONITOR="off";
FILTER_SHOW="off";
FWDEBUG="off";
FWDEBUG_SHOW="off";
NOW=\$(date +"%Y_%m_%d_%H%M");
FILE_PATH="/var/log/";
REMOTE_FILE="\$FILE_PATH\$NOW-evpn.tgz";
echo -e "\e[7m";
clear;
printf '%.s-' {1..78};echo;
echo '- Easy VPN Debug Tool v1.3 - Copyright Heiko Ankenbrand 2020 -';
printf '%.s-' {1..78};
echo -e "\e[0m";
echo;
mSITIONAL=();
while [[ \$# -gt 0 ]]
do
key="\$1"
case \$key in
-h|--help|-\?)
shift;
echo;echo 'Help: ';echo;
echo "-t Displays the tunnel list 'vpn tu tlist'";
echo "-r Displays the vpn routes 'fw tab -t vpn_routing -u'";
echo "-o Displays the overlaped encdoms 'overlap_encdom'";
echo "-v Displays the vpn tu tool 'vpn tu'";echo;
echo "-d Execute a full VPN debug (sk34467, sk89940)";
echo " # vpn debug trunc";
echo " # vpn debug on";
echo " # vpn debug ikeon";
echo " # vpn debug on TDERROR_ALL_ALL=5";
echo " >>> VPN ISSUE <<<";
echo " CTRL-C ---> Stop debug";
echo " # vpn debug off";
echo " # vpn debug ikeoff";
echo " # vpn debug truncoff";
echo;
echo "Optitions for full VPN debug:";
echo "-s Show live debug output";
echo "-m Enable fw monitor for all packets.";
echo "-f <display filter> Set display filter for example 'ike'. ";echo;
echo "Example filter:";
echo " CPTLS SSL VPN connections (VPN Capsule client)";
echo " ike IKE VPN connections (Site to Site VPN)";echo;
exit 0;
exit 0;
;;
-m)
shift;
FWMONITOR="on";
;;
-f)
FILTER_SHOW="\$2";
shift;
shift;
;;
-r)
shift;
echo; echo "VPN routing:";echo;
fw tab -t vpn_routing -u | awk 'NR>3 {\$0=substr(\$0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1;
echo;
exit 0;
;;
-v)
shift;
function ctrl_c() {
echo;
exit 0;
}
vpn tu;
exit 0;
;;
-o)
shift;
echo; echo "Overlapping VPN encryption domains:";echo;
vpn overlap_encdom;
echo;
exit 0;
;;
-t)
shift;
echo; echo "VPN tunnel list:";echo;
vpn tu tlist;
echo;
exit 0;
;;
-d)
shift;
FWDEBUG="on";
;;
-s)
shift;
FWDEBUG_SHOW="on";
;;
*) # unknown option
#echo "unknown"
POSITIONAL+=("\$1") # save it in an array for later
shift
;;
esac
done
if [ \$FWDEBUG == "on" ] ;
then
if [ \$FWMONITOR == "on" ] ;
then
echo "Start fw monitor for all packets. ";
#echo "EASY VPN DEBUG TOOL: Start fw monitor for all packets." >> \$FWDIR/log/vpnd.elg;
fw monitor -e "accept;" -o /var/log/evpn_fw_mon.cap &> /dev/null &
fi
vpn debug trunc
vpn debug on
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5;
function ctrl_c() {
echo; echo "VPN debug stop"; echo;
vpn debug off;
vpn debug ikeoff;
vpn debug truncoff;
echo "EASY VPN DEBUG TOOL: VPN debug stop CTRL-C" >> \$FWDIR/log/vpnd.elg
echo " # vpn debug truncoff";
echo " # vpn debug off";
echo " # debug ikeoff";
echo;echo -e "Create tgz file...";
tar -czf \$REMOTE_FILE \$FWDIR/log/ike.elg* \$FWDIR/log/vpnd.elg* /var/log/evpn_fw_mon.cap &> /dev/null ;
echo;echo " Tar file location: \$REMOTE_FILE";echo;
echo " Included file: \$FWDIR/log/ike.elg";
echo " Included file: \$FWDIR/log/vpnd.elg";
if [ \$FWMONITOR == "on" ] ;
then
echo " Included file: /var/log/evpn_fw_mon.cap";
fi
echo;
rm /var/log/evpn_fw_mon.cap &> /dev/null ;
exit 0
}
# echo "EASY VPN DEBUG TOOL: VPN debug start" >> \$FWDIR/log/vpnd.elg
echo "VPN debug start ";echo;
echo " # vpn debug trunc";
echo " # vpn debug on";
echo " # debug ikeon";
echo " # vpn debug on TDERROR_ALL_ALL=5";
if [ \$FWMONITOR == "on" ] ;
then
echo " # fw monitor -e 'accept;' -o /var/log/evpn_fw_mon.cap";
fi
echo;echo " >>> Wait until the issue occurs <<<";
echo -e "\e[7m";
echo " Stop VPN debug with CTRL-C ";
echo -e "\e[0m";
if [ \$FWDEBUG_SHOW == "on" ] ;
then
echo;echo;
if [ \$FILTER_SHOW == "off" ] ;
then
tail -f \$FWDIR/log/vpnd.elg
else
tail -f \$FWDIR/log/vpnd.elg | grep "\[\$FILTER_SHOW"
fi
else
sleep 10000000;
fi
vpn debug off
vpn debug ikeoff
vpn debug truncoff;
else
echo;echo "Please start 'evpn -h' for help.";echo;
fi
EOT
chmod 770 /usr/bin/evpn;
Version
1.0 06-25-2020 EA version 1.1 06-27-2020 bugfix 1.2 06-28-2020 GA version 1.3 06-30-2020 include all ike.elg* and vpnd.elg* files
CLI command
This tool creates a VPN debug with one cli command:
evpn -d -> Creates all VPN debug files ike.elg and vpnd.elg evpn -d -m -> Creates all VPN debug files ike.elg, vpnd.elg and a fw monitor capture file of all network packages
