Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RCordova
Participant

Site to Site VPN troubleshooting R80

Is there a way to monitor a tunnel to see if it bounces (disconnects)? We're having intermittent issues with a VPN and we want to make sure it's not bouncing or disconnecting on us. Would that be logged in Logs &Monitor or Smartview monitor? Or is there a log file we can check at the CLI level?

 

Thanks

0 Kudos
4 Replies
Bob_Zimmerman
Advisor

VPNs aren't really a connection, so they don't have a meaningful "up" versus "down" distinction. They instead have valid keys or they don't. To illustrate why this may matter, if you negotiate a VPN from your laptop to the firewall, then you disconnect your laptop from the network, the key is still negotiated, even though the VPN cannot carry traffic due to the underlying network issue.

To see VPN keys which have been negotiated and which are currently valid, you can use the command 'vpn tu'. This is the tunnel utility. On VSX, you will have to specify the VSID, like 'vpn -v <VSID> tu', I believe.

Once the tunnel utility is running, it presents a menu of options. One of them is to list all currently valid IKE SAs. That will tell you which peers you have a valid key for, along with the associated key identifiers. I suspect this is the information you're after.

0 Kudos
RCordova
Participant

Thanks Bob. I did check VPN TU and the IKE SA's are there. I checked the fw logs and see a lot of 'IPSEC Deletes' so something may be messed up with the tunnel config.

0 Kudos
Bob_Zimmerman
Advisor

For actually troubleshooting VPNs, nothing beats IKEview (sk30994) on the Check Point side. Enable the debug on the command line (vpn debug ikeon), force some negotiations, then collect the ike.elg or ikev2.xmll files and open them with IKEview. They'll tell you exactly what each side is actually sending.

I tend to enable IKE debugging on all of my firewalls which terminate VPNs. It's an extremely low-volume debug, and having good negotiations recorded in it helps me figure out what's wrong with a bad negotiation.

the_rock
Authority
Authority

In the logs tab of smart dashboard, you can do log filter, something like this -> blade:VPN AND (src:x.x.x.x AND dst:x.x.x.x)...just replace with external IP of the gateway. That will definitely give you how often rekey occurs.