- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Site to Site VPN troubleshooting R80
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to Site VPN troubleshooting R80
Is there a way to monitor a tunnel to see if it bounces (disconnects)? We're having intermittent issues with a VPN and we want to make sure it's not bouncing or disconnecting on us. Would that be logged in Logs &Monitor or Smartview monitor? Or is there a log file we can check at the CLI level?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPNs aren't really a connection, so they don't have a meaningful "up" versus "down" distinction. They instead have valid keys or they don't. To illustrate why this may matter, if you negotiate a VPN from your laptop to the firewall, then you disconnect your laptop from the network, the key is still negotiated, even though the VPN cannot carry traffic due to the underlying network issue.
To see VPN keys which have been negotiated and which are currently valid, you can use the command 'vpn tu'. This is the tunnel utility. On VSX, you will have to specify the VSID, like 'vpn -v <VSID> tu', I believe.
Once the tunnel utility is running, it presents a menu of options. One of them is to list all currently valid IKE SAs. That will tell you which peers you have a valid key for, along with the associated key identifiers. I suspect this is the information you're after.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Bob. I did check VPN TU and the IKE SA's are there. I checked the fw logs and see a lot of 'IPSEC Deletes' so something may be messed up with the tunnel config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For actually troubleshooting VPNs, nothing beats IKEview (sk30994) on the Check Point side. Enable the debug on the command line (vpn debug ikeon), force some negotiations, then collect the ike.elg or ikev2.xmll files and open them with IKEview. They'll tell you exactly what each side is actually sending.
I tend to enable IKE debugging on all of my firewalls which terminate VPNs. It's an extremely low-volume debug, and having good negotiations recorded in it helps me figure out what's wrong with a bad negotiation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the logs tab of smart dashboard, you can do log filter, something like this -> blade:VPN AND (src:x.x.x.x AND dst:x.x.x.x)...just replace with external IP of the gateway. That will definitely give you how often rekey occurs.
