Hi,

how can i export the files from shell?

Thanks

Rafael

Most people just enable bin bash shell to do so. You can run chsh -s /bin/bash admin or whatever admin name is. If you wish to return to regular shell, just run same command but instead of /bin/bash, type /etc/cli.sh

Then, you can use winscp to navigate through the directories. Just type cd $FWDIR/log and then pwd to see it in "readable" format.

You can also change all this through web UI page under users.

Andy

Hi Rock,

here are the files.

Thanks

Rafael

I will review. What is the peer IP? If you cant say it here, just message me directly.

Andy

Here is all I keep seeing, but does not tell me much sadly. Where does it fail on CP? Phase 1 or 2? 

Andy

RLL_Sync_ReSchedule: Failed to retieve interval value from parameter

Hi Andy,

Have you more information for me that how can i extract the information?

Thanks

Rafael

Sadly, not much more apart from what I sent.

Andy

Btw, though its long weekend here in Canada where I live, so Monday we have off, but happy to do remote if you are okay with it. Not sure where you are, but Im in EST, which is GMT -5.

Let me know. I think once I can see the config, it would be much easier to try figure this out.

Andy

Hi Andy,

I would be happy to suggest something. I'm happy to follow your lead. I am from GMT+1 Germany.

Thanks

Rafael

If you are free say 6 pm your time, I can send link for the remote then, let me know.

Andy

Hi Andy,

Sorry, I just saw your message now. I’m available at 8 PM. Does that work for you? Which platform would you prefer for our discussion? Teams, TeamViewer, or something else?

Thanks

Rafael

Usually, for these things, I use my personal zoom if you dont mind. Our corporate is teams, but my zoom, since its just via my gmail, its good for 40 mins free and then you need to wait 10 mins to have another 40 mins remote and so on, but Im sure 40 mins is more than enough 🙂

If 8p, is good for you, thats 11 more mins, let me have quick lunch and I will send you the link directly.

Best,

Andy

Yeah 8 pm is perfect. rafael@lema-it.de.

Just sent it.

Hi Andy,

i get the message: Meeting ID is wrong.

Thanks

Rafael

Just sent you correct one, sorry.

First link did not work, try this:

https://us04web.zoom.us/j/76342977538?pwd=0g1cbeFsTPpCod2MSb2izxHIcK4BQz.1

If you are around, let me know, Im free for remote.

Andy

Good point Chris.

Hi Chris,

R81.20 Jumbo Hotfix Take 92 is installed.

Thanks

Rafael

Hi Andy,

Thanks for your support. I have researched the issue, and now the tunnel is up again, but no traffic is routing through it.

Issues I have found and fixed:

• ICMP to the WAN IP was not allowed → FritzBox log showed a timeout → This is now fixed.
• Backup and primary WAN → Set the default gateway to the VPN WAN → OK.

However, I don't understand why the tunnel is up, but no traffic is going through it.

Here is the output of the command: vpn tu

[Expert@LMENFW01:0]# vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) * List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

(Q) Quit

*******************************************

1

Peer 212.117.93.31 , Office_VPN_GW SAs:

IKE SA <66551d2d7a4f33fd,b76ce610f7d24c5f>

IKE SA <919933155d887ea6,f74a584a613eace3>

Hit <Enter> key to continue ...

********** Select Option **********

(1) List all IKE SAs
(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) * List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

(Q) Quit

*******************************************

2

SAs of all instances:

Peer 212.117.93.31 , Office_VPN_GW SAs:

IKE SA <66551d2d7a4f33fd,b76ce610f7d24c5f>
INBOUND:
1. 0xc2c3f2ef (i: 2)
OUTBOUND:
1. 0x952272db (i: 2)

IKE SA <919933155d887ea6,f74a584a613eace3>
INBOUND:
1. 0xbe531669 (i: 2)
OUTBOUND:

Any ideas?

Thanks

Rafael

Just try initiate traffic and run that zdebug command grepping for the relevant IP, same like what we did on zoom remote. So say you are trying to access 192.168.2.5 from CP side, initiate ping or whatever protocol/port and then in ssh window, run fw ctl zdebug + drop | grep 192.168.2.5 or whatever the right IP is.

Also, check if any relevant logs in smart console to see why its failing.

GREAT job getting tunnel up.

Andy

Hi Andy,

i try with a ping and i get no output and only the message "Destination Network not reachable"

C:\Users\rafael>ping 172.16.22.1

Ping wird ausgeführt für 172.16.22.1 mit 32 Bytes Daten:
Antwort von 87.234.14.57: Zielnetz nicht erreichbar.
Antwort von 87.234.14.57: Zielnetz nicht erreichbar.
Antwort von 87.234.14.57: Zielnetz nicht erreichbar.
Antwort von 87.234.14.57: Zielnetz nicht erreichbar.

Ping-Statistik für 172.16.22.1:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
(0% Verlust),

C:\Users\rafael>

This IP is also unknown for me: 87.234.14.57

And 

[Expert@LMENFW01:0]# fw ctl zdebug + drop | grep 172.16.22.1

gives 0 Output

Thanks

Rafael

Can you try similar on Frotzbox side?

Andy

Amazing job @LM-Rafael !

Andy