Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ramawatar_Maury
Participant

VPN Troubleshooting Commands

CommandsDescriptions
vpn tuVPN utility, allows you to rekey vpn
vpn ipafile_check ipassignment.conf detail‏Verifies the ipassignment.conf file
dtps licshow desktop policy license status
cpstat -f all polsrvshow status of the dtps
vpn shellStart the VPN shell
vpn shell /tunnels/delete/IKE/peer/[peer ip]delete IKE SA
vpn shell /tunnels/delete/IPsec/peer/[peer ip]delete Phase 2 SA
vpn shell /show/tunnels/ike/peer/[peer ip]show IKE SA
vpn shell /show/tunnels/ipsec/peer/[peer ip]show Phase 2 SA
vpn shell show interface detailed [VTI name]show VTI detail
vpn debug ikeon|ikeoffDebug IKE into $FWDIR/log/ike.elg. Analyze ike.elg with the IKEView tool
vpn debug on|offDebug VPN into $FWDIR/log/vpnd.elg. Analyze vpnd.elg with the IKEView tool
vpn debug truncTruncate and stamp logs, enable IKE & VPN debug
vpn drv statShow status of VPN-1 kernel module
vpn overlap_encdomShow, if any, overlapping VPN domains
vpn macutil <user>Show MAC for Secure Remote user <user>
vpn ver [-k]Check VPN-1 major and minor version as well as build number and latest hotfix. Use -k for kernal version 
6 Replies
Petr_Hantak
Advisor
Advisor

Nice summary. Speaking about debug commands procedure is written in more SK articles. At least good one for start is the sk33327 - How to generate a valid VPN debug, IKE debug and FW Monitor

gerb
Explorer

apparently not anymore

Lesley
Leader Leader
Leader

You kick and ancient topic from 2018.

Here is the relevant SK made for this time period:

https://support.checkpoint.com/results/sk/sk180488

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Gaurav_Pandya
Advisor

Good commands and lastly IKE Info Viewer is the best tool to troubleshoot VPN.

Jesse
Contributor

So looking at the information on the "IKEView Tool" in sk30994, it seems it can only display information captured in a debug. Is there a way to see in realtime the remaining key lifetimes on Phase1 and Phase2 SAs, or other details such as Phase2 SA local and remote identities? This could easily be done on ASA, but I can't seem to find it on Check Point gateways.

Robert_Dietrich
Explorer

Same Question!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events