- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- VPN Troubleshooting Commands
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Troubleshooting Commands
| Commands | Descriptions |
|---|---|
| vpn tu | VPN utility, allows you to rekey vpn |
| vpn ipafile_check ipassignment.conf detail | Verifies the ipassignment.conf file |
| dtps lic | show desktop policy license status |
| cpstat -f all polsrv | show status of the dtps |
| vpn shell | Start the VPN shell |
| vpn shell /tunnels/delete/IKE/peer/[peer ip] | delete IKE SA |
| vpn shell /tunnels/delete/IPsec/peer/[peer ip] | delete Phase 2 SA |
| vpn shell /show/tunnels/ike/peer/[peer ip] | show IKE SA |
| vpn shell /show/tunnels/ipsec/peer/[peer ip] | show Phase 2 SA |
| vpn shell show interface detailed [VTI name] | show VTI detail |
| vpn debug ikeon|ikeoff | Debug IKE into $FWDIR/log/ike.elg. Analyze ike.elg with the IKEView tool |
| vpn debug on|off | Debug VPN into $FWDIR/log/vpnd.elg. Analyze vpnd.elg with the IKEView tool |
| vpn debug trunc | Truncate and stamp logs, enable IKE & VPN debug |
| vpn drv stat | Show status of VPN-1 kernel module |
| vpn overlap_encdom | Show, if any, overlapping VPN domains |
| vpn macutil <user> | Show MAC for Secure Remote user <user> |
| vpn ver [-k] | Check VPN-1 major and minor version as well as build number and latest hotfix. Use -k for kernal version |
- Tags:
- vpn troubleshooting
6 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice summary. Speaking about debug commands procedure is written in more SK articles. At least good one for start is the sk33327 - How to generate a valid VPN debug, IKE debug and FW Monitor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apparently not anymore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You kick and ancient topic from 2018.
Here is the relevant SK made for this time period:
https://support.checkpoint.com/results/sk/sk180488
-------
If you like this post please give a thumbs up(kudo)! 🙂
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good commands and lastly IKE Info Viewer is the best tool to troubleshoot VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So looking at the information on the "IKEView Tool" in sk30994, it seems it can only display information captured in a debug. Is there a way to see in realtime the remaining key lifetimes on Phase1 and Phase2 SAs, or other details such as Phase2 SA local and remote identities? This could easily be done on ASA, but I can't seem to find it on Check Point gateways.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same Question!
VPN Troubleshooting Commands
| Commands | Descriptions |
|---|---|
| vpn tu | VPN utility, allows you to rekey vpn |
| vpn ipafile_check ipassignment.conf detail | Verifies the ipassignment.conf file |
| dtps lic | show desktop policy license status |
| cpstat -f all polsrv | show status of the dtps |
| vpn shell | Start the VPN shell |
| vpn shell /tunnels/delete/IKE/peer/[peer ip] | delete IKE SA |
| vpn shell /tunnels/delete/IPsec/peer/[peer ip] | delete Phase 2 SA |
| vpn shell /show/tunnels/ike/peer/[peer ip] | show IKE SA |
| vpn shell /show/tunnels/ipsec/peer/[peer ip] | show Phase 2 SA |
| vpn shell show interface detailed [VTI name] | show VTI detail |
| vpn debug ikeon|ikeoff | Debug IKE into $FWDIR/log/ike.elg. Analyze ike.elg with the IKEView tool |
| vpn debug on|off | Debug VPN into $FWDIR/log/vpnd.elg. Analyze vpnd.elg with the IKEView tool |
| vpn debug trunc | Truncate and stamp logs, enable IKE & VPN debug |
| vpn drv stat | Show status of VPN-1 kernel module |
| vpn |
