This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RCordova
Participant
‎2021-07-19 11:32 AM

Site to Site VPN troubleshooting R80

Is there a way to monitor a tunnel to see if it bounces (disconnects)? We're having intermittent issues with a VPN and we want to make sure it's not bouncing or disconnecting on us. Would that be logged in Logs &Monitor or Smartview monitor? Or is there a log file we can check at the CLI level?

 

Thanks

0 Kudos
4 Replies
Bob_Zimmerman
Authority
Authority
‎2021-07-19 12:11 PM

VPNs aren't really a connection, so they don't have a meaningful "up" versus "down" distinction. They instead have valid keys or they don't. To illustrate why this may matter, if you negotiate a VPN from your laptop to the firewall, then you disconnect your laptop from the network, the key is still negotiated, even though the VPN cannot carry traffic due to the underlying network issue.

To see VPN keys which have been negotiated and which are currently valid, you can use the command 'vpn tu'. This is the tunnel utility. On VSX, you will have to specify the VSID, like 'vpn -v <VSID> tu', I believe.

Once the tunnel utility is running, it presents a menu of options. One of them is to list all currently valid IKE SAs. That will tell you which peers you have a valid key for, along with the associated key identifiers. I suspect this is the information you're after.

0 Kudos
(1)
RCordova
Participant
‎2021-07-19 12:43 PM
In response to Bob_Zimmerman

Thanks Bob. I did check VPN TU and the IKE SA's are there. I checked the fw logs and see a lot of 'IPSEC Deletes' so something may be messed up with the tunnel config.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-07-20 06:24 AM
In response to RCordova

For actually troubleshooting VPNs, nothing beats IKEview (sk30994) on the Check Point side. Enable the debug on the command line (vpn debug ikeon), force some negotiations, then collect the ike.elg or ikev2.xmll files and open them with IKEview. They'll tell you exactly what each side is actually sending.

I tend to enable IKE debugging on all of my firewalls which terminate VPNs. It's an extremely low-volume debug, and having good negotiations recorded in it helps me figure out what's wrong with a bad negotiation.

the_rock
Legend
Legend
‎2021-07-19 07:00 PM

In the logs tab of smart dashboard, you can do log filter, something like this -> blade:VPN AND (src:x.x.x.x AND dst:x.x.x.x)...just replace with external IP of the gateway. That will definitely give you how often rekey occurs.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events