Solved: Re: Easy VPN Debug Tool

HeikoAnkenbrand

CLI command

This tool creates a VPN debug with one cli command:

evpn -d -> Creates all VPN debug files ike.elg and vpnd.elg
evpn -d -m -> Creates all VPN debug files ike.elg, vpnd.elg and a fw monitor capture file of all network packages

evpn -o                      -> Shows overlaped encdoms 'overlap_encdom'
evpn -r                      -> Shows vpn routes 'fw tab -t vpn_routing -u'
evpn -t                       -> Shows tunnel list 'vpn tu tlist'
evpn -v                       -> Shows the vpn tu tool 'vpn tu'

Install

"copy and past" the following script block from "Spoiler" to the Check Point gateway:

Click to Expand

curl_cli -k http://www.ankenbrand24.de/inst_evpn > /tmp/inst_evpn && chmod 770 /tmp/inst_evpn && /tmp/inst_evpn

curl_cli -k http://www.ankenbrand24.de/inst_evpn > /tmp/inst_evpn && chmod 770 /tmp/inst_evpn && /tmp/inst_evpn

Script

Click to Expand

cat <<EOT > /usr/bin/evpn
#!/bin/bash

# trap ctrl-c and call ctrl_c()
trap ctrl_c INT
FWMONITOR="off";
FILTER_SHOW="off";
FWDEBUG="off";
FWDEBUG_SHOW="off";
NOW=\$(date +"%Y_%m_%d_%H%M");
FILE_PATH="/var/log/";
REMOTE_FILE="\$FILE_PATH\$NOW-evpn.tgz";
echo -e "\e[7m";
clear;
printf '%.s-' {1..78};echo;
echo '- Easy VPN Debug Tool v1.3                 - Copyright Heiko Ankenbrand 2020 -';
printf '%.s-' {1..78};
echo -e "\e[0m";
echo;
mSITIONAL=();
while [[ \$# -gt 0 ]]
do
key="\$1"
case \$key in
    -h|--help|-\?)
       shift;
       echo;echo 'Help: ';echo;
       echo "-t                         Displays the tunnel list 'vpn tu tlist'";
       echo "-r                         Displays the vpn routes 'fw tab -t vpn_routing -u'";
       echo "-o                         Displays the overlaped encdoms 'overlap_encdom'";
       echo "-v                         Displays the vpn tu tool 'vpn tu'";echo;
       echo "-d                         Execute a full VPN debug (sk34467, sk89940)";
       echo "                             # vpn debug trunc";
       echo "                             # vpn debug on";
       echo "                             # vpn debug ikeon";
       echo "                             # vpn debug on TDERROR_ALL_ALL=5";
       echo "                             >>> VPN ISSUE <<<";
       echo "                             CTRL-C        ---> Stop debug";
       echo "                             # vpn debug off";
       echo "                             # vpn debug ikeoff";
       echo "                             # vpn debug truncoff";
       echo;
       echo "Optitions for full VPN debug:";
       echo "-s                         Show live debug output";
       echo "-m                         Enable fw monitor for all packets.";
       echo "-f <display filter>        Set display filter for example 'ike'. ";echo;
       echo "Example filter:";
       echo "           CPTLS           SSL VPN connections (VPN Capsule client)";
       echo "           ike             IKE VPN connections (Site to Site VPN)";echo;
       exit 0;

       exit 0;
    ;;
    -m)
       shift;
       FWMONITOR="on";
    ;;
    -f)
       FILTER_SHOW="\$2";
       shift;
       shift;
    ;;
    -r)
       shift;
       echo; echo "VPN routing:";echo;
       fw tab -t vpn_routing -u | awk 'NR>3 {\$0=substr(\$0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1;
       echo;
       exit 0;
    ;;
     -v)
       shift;
       function ctrl_c() {
                echo;
                exit 0;
           }
       vpn tu;
       exit 0;
    ;;
     -o)
       shift;
       echo; echo "Overlapping VPN encryption domains:";echo;
       vpn overlap_encdom;
       echo;
       exit 0;
    ;;
     -t)
       shift;
       echo; echo "VPN tunnel list:";echo;
       vpn tu tlist;
       echo;
       exit 0;
    ;;
     -d)
       shift;
       FWDEBUG="on";
    ;;
    
     -s)
       shift;
       FWDEBUG_SHOW="on";
    ;;

    *)    # unknown option
    #echo "unknown"
    POSITIONAL+=("\$1") # save it in an array for later
    shift
    ;;
esac
done
if [ \$FWDEBUG == "on" ] ;
   then
   if [ \$FWMONITOR == "on" ] ;
      then
        echo "Start fw monitor for all packets. ";
        #echo "EASY VPN DEBUG TOOL: Start fw monitor for all packets." >> \$FWDIR/log/vpnd.elg;
        fw monitor -e "accept;" -o /var/log/evpn_fw_mon.cap &> /dev/null &
   fi
   vpn debug trunc
   vpn debug on
   vpn debug ikeon
   vpn debug on TDERROR_ALL_ALL=5;
   
   function ctrl_c() {
        echo; echo "VPN debug stop"; echo;
        vpn debug off;
        vpn debug ikeoff;
        vpn debug truncoff;
        echo "EASY VPN DEBUG TOOL: VPN debug stop CTRL-C" >> \$FWDIR/log/vpnd.elg
        echo "   # vpn debug truncoff";
        echo "   # vpn debug off";
        echo "   # debug ikeoff";
        echo;echo -e "Create tgz file...";
        tar -czf \$REMOTE_FILE \$FWDIR/log/ike.elg* \$FWDIR/log/vpnd.elg* /var/log/evpn_fw_mon.cap &> /dev/null ;
        echo;echo "   Tar file location: \$REMOTE_FILE";echo;
        echo "   Included file: \$FWDIR/log/ike.elg";
        echo "   Included file: \$FWDIR/log/vpnd.elg";
        if [ \$FWMONITOR == "on" ] ;
           then
              echo "   Included file: /var/log/evpn_fw_mon.cap"; 
        fi
        echo;
        rm /var/log/evpn_fw_mon.cap &> /dev/null ;
        exit 0
   }
   # echo "EASY VPN DEBUG TOOL: VPN debug start" >> \$FWDIR/log/vpnd.elg
   echo "VPN debug start ";echo;
   echo "   # vpn debug trunc";
   echo "   # vpn debug on";
   echo "   # debug ikeon";
   echo "   # vpn debug on TDERROR_ALL_ALL=5";
   if [ \$FWMONITOR == "on" ] ;
      then
      echo "   # fw monitor -e 'accept;' -o /var/log/evpn_fw_mon.cap";
   fi
   echo;echo " >>> Wait until the issue occurs <<<";
   echo -e "\e[7m";
   echo "      Stop VPN debug with CTRL-C     ";
   echo -e "\e[0m";
   
   if [ \$FWDEBUG_SHOW == "on" ] ;
      then
        echo;echo;
        if [ \$FILTER_SHOW == "off" ] ;
           then
             tail -f \$FWDIR/log/vpnd.elg
         else
             tail -f \$FWDIR/log/vpnd.elg | grep "\[\$FILTER_SHOW"
         fi
      else 
      sleep 10000000;
   fi 
   vpn debug off
   vpn debug ikeoff
   vpn debug truncoff;
   
else
   echo;echo "Please start 'evpn -h' for help.";echo;
fi
EOT
chmod 770 /usr/bin/evpn;

cat <<EOT > /usr/bin/evpn #!/bin/bash # trap ctrl-c and call ctrl_c() trap ctrl_c INT FWMONITOR="off"; FILTER_SHOW="off"; FWDEBUG="off"; FWDEBUG_SHOW="off"; NOW=\$(date +"%Y_%m_%d_%H%M"); FILE_PATH="/var/log/"; REMOTE_FILE="\$FILE_PATH\$NOW-evpn.tgz"; echo -e "\e[7m"; clear; printf '%.s-' {1..78};echo; echo '- Easy VPN Debug Tool v1.3 - Copyright Heiko Ankenbrand 2020 -'; printf '%.s-' {1..78}; echo -e "\e[0m"; echo; mSITIONAL=(); while [[ \$# -gt 0 ]] do key="\$1" case \$key in -h|--help|-\?) shift; echo;echo 'Help: ';echo; echo "-t Displays the tunnel list 'vpn tu tlist'"; echo "-r Displays the vpn routes 'fw tab -t vpn_routing -u'"; echo "-o Displays the overlaped encdoms 'overlap_encdom'"; echo "-v Displays the vpn tu tool 'vpn tu'";echo; echo "-d Execute a full VPN debug (sk34467, sk89940)"; echo " # vpn debug trunc"; echo " # vpn debug on"; echo " # vpn debug ikeon"; echo " # vpn debug on TDERROR_ALL_ALL=5"; echo " >>> VPN ISSUE <<<"; echo " CTRL-C ---> Stop debug"; echo " # vpn debug off"; echo " # vpn debug ikeoff"; echo " # vpn debug truncoff"; echo; echo "Optitions for full VPN debug:"; echo "-s Show live debug output"; echo "-m Enable fw monitor for all packets."; echo "-f <display filter> Set display filter for example 'ike'. ";echo; echo "Example filter:"; echo " CPTLS SSL VPN connections (VPN Capsule client)"; echo " ike IKE VPN connections (Site to Site VPN)";echo; exit 0; exit 0; ;; -m) shift; FWMONITOR="on"; ;; -f) FILTER_SHOW="\$2"; shift; shift; ;; -r) shift; echo; echo "VPN routing:";echo; fw tab -t vpn_routing -u | awk 'NR>3 {\$0=substr(\$0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n" | sort -k1n,1; echo; exit 0; ;; -v) shift; function ctrl_c() { echo; exit 0; } vpn tu; exit 0; ;; -o) shift; echo; echo "Overlapping VPN encryption domains:";echo; vpn overlap_encdom; echo; exit 0; ;; -t) shift; echo; echo "VPN tunnel list:";echo; vpn tu tlist; echo; exit 0; ;; -d) shift; FWDEBUG="on"; ;; -s) shift; FWDEBUG_SHOW="on"; ;; *) # unknown option #echo "unknown" POSITIONAL+=("\$1") # save it in an array for later shift ;; esac done if [ \$FWDEBUG == "on" ] ; then if [ \$FWMONITOR == "on" ] ; then echo "Start fw monitor for all packets. "; #echo "EASY VPN DEBUG TOOL: Start fw monitor for all packets." >> \$FWDIR/log/vpnd.elg; fw monitor -e "accept;" -o /var/log/evpn_fw_mon.cap &> /dev/null & fi vpn debug trunc vpn debug on vpn debug ikeon vpn debug on TDERROR_ALL_ALL=5; function ctrl_c() { echo; echo "VPN debug stop"; echo; vpn debug off; vpn debug ikeoff; vpn debug truncoff; echo "EASY VPN DEBUG TOOL: VPN debug stop CTRL-C" >> \$FWDIR/log/vpnd.elg echo " # vpn debug truncoff"; echo " # vpn debug off"; echo " # debug ikeoff"; echo;echo -e "Create tgz file..."; tar -czf \$REMOTE_FILE \$FWDIR/log/ike.elg* \$FWDIR/log/vpnd.elg* /var/log/evpn_fw_mon.cap &> /dev/null ; echo;echo " Tar file location: \$REMOTE_FILE";echo; echo " Included file: \$FWDIR/log/ike.elg"; echo " Included file: \$FWDIR/log/vpnd.elg"; if [ \$FWMONITOR == "on" ] ; then echo " Included file: /var/log/evpn_fw_mon.cap"; fi echo; rm /var/log/evpn_fw_mon.cap &> /dev/null ; exit 0 } # echo "EASY VPN DEBUG TOOL: VPN debug start" >> \$FWDIR/log/vpnd.elg echo "VPN debug start ";echo; echo " # vpn debug trunc"; echo " # vpn debug on"; echo " # debug ikeon"; echo " # vpn debug on TDERROR_ALL_ALL=5"; if [ \$FWMONITOR == "on" ] ; then echo " # fw monitor -e 'accept;' -o /var/log/evpn_fw_mon.cap"; fi echo;echo " >>> Wait until the issue occurs <<<"; echo -e "\e[7m"; echo " Stop VPN debug with CTRL-C "; echo -e "\e[0m"; if [ \$FWDEBUG_SHOW == "on" ] ; then echo;echo; if [ \$FILTER_SHOW == "off" ] ; then tail -f \$FWDIR/log/vpnd.elg else tail -f \$FWDIR/log/vpnd.elg | grep "\[\$FILTER_SHOW" fi else sleep 10000000; fi vpn debug off vpn debug ikeoff vpn debug truncoff; else echo;echo "Please start 'evpn -h' for help.";echo; fi EOT chmod 770 /usr/bin/evpn;

Version

1.0         06-25-2020                      EA version
1.1         06-27-2020                      bugfix
1.2         06-28-2020                      GA version
1.3         06-30-2020                      include all ike.elg* and vpnd.elg* files

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2020-06-29

Hi @Nauuk_K,

The script executes the following vpn debug commands:

vpn debug trunc
vpn debug on
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5;

>>> Wait for the vpn error <<<

vpn debug off
vpn debug ikeoff
vpn debug truncoff;

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

Nauuk_K · ‎2020-06-25

Hi @HeikoAnkenbrand,

What exactly does this script do?
So I don't have to type in all VPN debug commands anymore!

Am I getting this right?

HeikoAnkenbrand · ‎2020-06-29

Hi @Nauuk_K,

The script executes the following vpn debug commands:

vpn debug trunc
vpn debug on
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5;

>>> Wait for the vpn error <<<

vpn debug off
vpn debug ikeoff
vpn debug truncoff;

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

_Daniel_ · ‎2023-12-13

Great tool, I wonder in case we can add ikev2.xmll to the compressed file

O_H · ‎2021-02-11

👍

Thomas_Eichelbu · ‎2021-04-02

Hello Heiko,

as always a wonderful tool.
but is there way to limot the debug to only ONE tunnel peer IP or community name ?

because this command offers an option "tunnel"

vpn debug ?
Usage: vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [ -s size(Mb) ]| ike off | trunc [ DEBUG_TOPIC=level ] | truncon [ DEBUG_TOPIC=level ] | truncoff | ti meon [ SECONDS ] | timeoff | ikefail [ -s size(Mb) ]| mon | moff | say [ string ] | tunnel [ level ] >

what is | tunnel | supposed to mean?
can i filter the debug on one tunnel ?
in most time the logs are rapidly filling up and there is no chance to a for long term VPN debugging ...

would be wonderful to filter the debug output in one specfic file and focus only on one specific remote peer or tunnel name.

best regards

Timothy_Hall · ‎2021-04-02

Confining a vpnd debug to one tunnel or peer doesn't seem possible, the tunnel option you are referring to looks like it is just a shortcut to execute multiple debug commands (kind of like zdebug).

If you are having problems with the vpnd.elg files rolling off before you can look at them, make sure you are only debugging IKE by just using the ikeon argument which is typically all that you need in most VPN troubleshooting scenarios. Doing a vpn debug on enables IKE debugging but lots of other debug flags in vpnd as well that will seriously clutter up your debug files. Also you won't typically need to set TDERROR_ALL_ALL which will really overwhelm your output files.

If you do require that level of debugging, you can adjust how large the vpnd.elg files are allowed to get before rolling over and/or specify the number of files to keep before they are automatically removed here:

sk112515: How to increase maximum size and number of rotated $FWDIR/log/vpnd.elg log files on Secure...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Filters

Sort By

Categories

Easy VPN Debug Tool

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.