We have a VSX R81.20 system with multiple VS`es.
Some virtual systems was created many years ago on earlier versions and some on R81.10 and R81.20.
All virtual systems are running on the same VSX-nodes, R81.20.
We have an issue with establishing a VPN-tunnel from one of the newer virtual systems (VSID 16) to a third party and tried running a regular IKE-debug but no files were being created. On another virtual system (VSID 3) (created a long time ago) ike.elg-files are being created when running ike debug.
Checking "vpn iked status" i can see that for these 3 different systems, created on different versions iked is only running on the "oldest":
VSID3 (initially created on older R7x version - have several S2S tunnels working)
[Expert@fw-vsxnode-1:3]# vpn iked status
vpn: 'iked' is enabled.
vpn: 'iked' is configured for 2 instances.
vpn: The 'iked0' process is currently running.
vpn: The 'iked1' process is currently running.
[Expert@fw-vsxnode-1:3]#
VSID13 (initially created on R81.10 - have several S2S tunnels working)
[Expert@fw-vsxnode-1:13]# vpn iked status
vpn: 'iked' is disabled.
[Expert@fw-vsxnode-1:13]#
VSID16 (initially created on R81.20 version - Have one vpn-tunnel that doesnt work)
[Expert@fw-vsxnode-1:16]# vpn iked status
vpn: 'iked' is disabled.
[Expert@fw-vsxnode-1:16]# vsenv 3
According to R81.20 CLI reference guide there was a change in R81.10 on which daemon handles S2S traffic:
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CLI_ReferenceGuide/Content/T...
However according to https://support.checkpoint.com/results/sk/sk180488 , in R81.20 and higher, S2S is handled by iked ?
(which it cant be since we have working VPN-tunnels on VSID13, but iked is disabled)
According to sk180488 it now looks like we have to run a full vpnd debug to be able to investigate IKE/tunnel establishment and
get a maintenance window to perform this debug ?
Does this mean that iked is not disabled on all virtual systems on R81.20, only systems initially created on R81.10/R81.20 and higher and that we now need maintenance window to look at S2S tunnel establishment ?
CCSM / CCSE / CCVS / CCTE