Need to troubleshoot R81.20 S2S VPN

Joe_Kanaszka · ‎2024-01-22

Hey gang - Happy Monday!

I need to troubleshoot a S2S VPN on an R81.20 gateway and I'd like to use the "ikeview" tool.

The problem is my gateway is only spitting out iked debug files.

Can you point me to an SK to get my R81.20 gateway to generate ike debug files?

Or...

Can someone point me to a good SK that explains how to read/interpret the new vpnd logs? From what I've read, the vpnd daemon is responsible for S2S tunnels with peer gateways that have static IPs. (applies to my situation)

We have a S2S tunnel that is occasionally going down between us and our remote office. I'd like to be able to look at a log file(s) and perhaps see if there is an issue with ike phase1, phase 2 - etc...

Hence my inquiry regarding the ikeview tool. I've heard it makes troubleshooting S2S VPN issues a bit easier.

Thanks guys.

-Joe

the_rock · ‎2024-01-22

Hey mate,

Personally, below is what I always do. To get basic debugs, run this:

vpn debug trunc (rotates debug files)

vpn debug ikeon

-generate some traffic (leave for 1 or 2 mins)

vpn debug ikeoff

Check $FWDIR/log for ike/vpnd.elg files

I never bother with ikeview, if stuff is failing, just check in vpn tu command if theres even any ike or ipsec SAs. I know ike.elg would show you in ikeview what packet its failing on, so say if its packet 4 phase1, thats usually PSK, but thats easy to tell anyway...just input bogus key on both ends, something easy, say password123 and if it works, bam, theres your answer.

Other than that, I would review vpnd.elg file and filter for external IP address

You can also do this

grep -i x.x.x.x $FWDIR/log/vpnd* (just replace xs with right external IP)

Whats other end of the tunnel?

Best,

Andy

Best,
Andy

genisis__ · ‎2024-01-22

get ikeviewer as well; you can then review the ike.elg file in that.

Joe_Kanaszka · ‎2024-01-22

Thanks Andy - the other end is a Check Point.

the_rock · ‎2024-01-22

Man, you think that would be easy peasy...guess not lol

Anywho, message me offline, we can do remote if you are allowed to, Im sure we can figure it out.

Best,

Andy

Best,
Andy

Joe_Kanaszka · ‎2024-01-22

That's weird. No mention of remote peer in vpnd logs - only iked logs are showing my remote peer IP...

the_rock · ‎2024-01-22

Do vpn tu on CP side (expoert mode) and see if even phase 1 comes up. Theres an option for specific gateway there.

Andy

Best,
Andy

Joe_Kanaszka · ‎2024-01-22

Thanks Andy. The #vpn tu command works once the tunnel has been brought back up again by my colleague in the remote office. I can see my remote peer and the SAs.

The issue we are having is that the tunnel is going down sporadically and I'm trying to figure out why it's going down....

Trying to figure out the cause when the tunnel goes down.

Thanks again Andy.

Joe_Kanaszka · ‎2024-01-22

And I just went back into my gateway. My S2S logs are showing up in iked. 🤔

the_rock · ‎2024-01-22

I think I remember this, you asked about it couple of weeks back when I told you to make sure setting keep ike sas was on in global properties, as well as connection persistence in gateway properties to keep all connections. Did you try that and if so, did it help?

Andy

Best,
Andy

the_rock · ‎2024-01-22

Forgot to mention, just to be safe, I would turn off all debugs at the end

fw ctl debug -x

fw ctl debug 0

Andy

Best,
Andy

Joe_Kanaszka · ‎2024-01-22

Thank you Andy - will do.

the_rock · ‎2024-01-22

For you, ONLY still Iphone charge ; - )

Andy

Best,
Andy

Joe_Kanaszka · ‎2024-01-22

Nice one! 😁

Are you a member of CheckMates?

Need to troubleshoot R81.20 S2S VPN