VPN Troubleshooting Commands

Ramawatar_Maury · ‎2018-07-12

Commands	Descriptions
*vpn tu*	*VPN utility, allows you to rekey vpn*
*vpn ipafile_check ipassignment.conf detail‏*	*Verifies the ipassignment.conf file*
*dtps lic*	*show desktop policy license status*
*cpstat -f all polsrv*	*show status of the dtps*
*vpn shell*	*Start the VPN shell*
*vpn shell /tunnels/delete/IKE/peer/[peer ip]*	*delete IKE SA*
*vpn shell /tunnels/delete/IPsec/peer/[peer ip]*	*delete Phase 2 SA*
*vpn shell /show/tunnels/ike/peer/[peer ip]*	*show IKE SA*
*vpn shell /show/tunnels/ipsec/peer/[peer ip]*	*show Phase 2 SA*
*vpn shell show interface detailed [VTI name]*	*show VTI detail*
*vpn debug ikeon\|ikeoff*	*Debug IKE into $FWDIR/log/ike.elg. Analyze ike.elg with the IKEView tool*
*vpn debug on\|off*	*Debug VPN into $FWDIR/log/vpnd.elg. Analyze vpnd.elg with the IKEView tool*
*vpn debug trunc*	*Truncate and stamp logs, enable IKE & VPN debug*
*vpn drv stat*	*Show status of VPN-1 kernel module*
*vpn overlap_encdom*	*Show, if any, overlapping VPN domains*
*vpn macutil <user>*	*Show MAC for Secure Remote user <user>*
*vpn ver [-k]*	*Check VPN-1 major and minor version as well as build number and latest hotfix. Use -k for kernal version*

Petr_Hantak · ‎2018-07-12

Nice summary. Speaking about debug commands procedure is written in more SK articles. At least good one for start is the sk33327 - How to generate a valid VPN debug, IKE debug and FW Monitor

gerb · ‎2024-10-25

apparently not anymore

Lesley · ‎2024-10-28

You kick and ancient topic from 2018.

Here is the relevant SK made for this time period:

https://support.checkpoint.com/results/sk/sk180488

-------
Please press "Accept as Solution" if my post solved it 🙂

Matlu · ‎2025-05-30

Hello,
Is there any command that captures the traffic on both P1 and P2?
Is it possible to check it through the CLI, or do you necessarily have to capture the data and check it in IKEView Tool?

PhoneBoy · ‎2025-06-02

It's possible one of the various VPN kernel debugs might show you this information.
Capturing the relevant traffic and viewing it into IKEView is probably quicker/easier.

Matlu · ‎2025-09-18

Hello, @PhoneBoy
When you have VPN tunnel errors with “intermittent” drops that occurred a couple of days ago, is it possible to detect the root cause of these problems in the ‘messages’ or “dmesg” files of our FW?
Or is this information stored somewhere else?
Cheers.

PhoneBoy · ‎2025-09-19

Issues with the VPN would not likely manifest itself in Gaia OS logs.
Possibly cpview has something and it might also show in the regular access policy logs (depending on the nature of the failure).

Gaurav_Pandya · ‎2018-07-13

Good commands and lastly IKE Info Viewer is the best tool to troubleshoot VPN.

Jesse · ‎2019-03-13

So looking at the information on the "IKEView Tool" in sk30994, it seems it can only display information captured in a debug. Is there a way to see in realtime the remaining key lifetimes on Phase1 and Phase2 SAs, or other details such as Phase2 SA local and remote identities? This could easily be done on ASA, but I can't seem to find it on Check Point gateways.

Robert_Dietrich · ‎2019-06-18

Same Question!

Are you a member of CheckMates?

VPN Troubleshooting Commands

VPN Troubleshooting Commands