This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2024-12-01 07:06 AM

VPN logs

Hi

When logs from a specific VPN community look like this:

kort.JPG

All logs are "key install" what i know is that key installation happens as configured on the advanced settings of the community:

Phase 1: 240 mins

Phase2: 3600 seconds

So why it is happening all the time?

What does that mean, a customer is complaining that they are loosing connection !

How to troubleshoot this problem?

0 Kudos
20 Replies
AmirArama
Employee
Employee
‎2024-12-01 08:32 AM

Start with reading the data inside those logs, see if they are good events, or errors / failures.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-01 09:24 AM

Hey bro,

Can we please see the whole log? Just blur out any sensitive data.

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-12-01 11:53 PM

 

All logs are same:

kort.JPG

the_rock
MVP Gold
MVP Gold
‎2024-12-02 04:30 AM
In response to Moudar

Thank you! So quick mode would be phase 2 issue...can they verify all the settings do indeed match?

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-12-02 05:16 AM
In response to the_rock

So in normal cases, how often should we see "key install" log other than the 240 and 3600 defaults?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-02 05:18 AM
In response to Moudar

I know defaults are 1 day for phase 1 and 1 hour for phase 2.

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-12-02 05:28 AM
In response to the_rock

Under normal circumstances, how often should we see "key install" logs apart from the 240 and 3600 defaults? I mean, how frequently do these logs typically appear?

The tunnel is up so phase 2 is OK i think!

kort.JPG

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-12-02 06:01 AM
In response to Moudar

Is there an outage during or before/ after the key install time stamp? From my point of view it looks like you are receiving key install. This could be an indication that the issue should be check on the other side of the tunnel. To proof this theory a vpn debug in ikeview would help 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-12-02 06:09 AM
In response to Lesley

Yes, customer is experience an outage.

I am trying to download the Ikeview but website is down!?

kort.JPG

any other link to get Ikeview?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-02 06:09 AM
In response to Moudar

I just tried, worked for me.

Andy

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-12-02 06:16 AM
In response to the_rock

it works now!

On my gateway i have iked0.elg, iked1.elg and iked2.elg

there is no ike.elg and ikev2.xmll  !

kort.JPG

which one should be used in ikeview?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-02 06:20 AM
In response to Moudar

Either of those should work.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-12-02 06:30 AM
In response to Moudar

Have you enabled vpn debug truncon for debug start? Reproduce issue and turn off vpn debug truncoff

files rotate on their own no need to delete them. Copy them and load them in ikeview.

if you see remote peer ip in ikeview you are on the right track

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-12-02 06:34 AM
In response to Lesley

the command: vpn debug truncon, can it focus on specific community or it only debugs all S2S VPN?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-02 06:44 AM
In response to Moudar

I dont believe it can be done for specific community.

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-12-02 06:54 AM
In response to the_rock

I can now see this kind of log:

kort.JPG

and it is coming very often with different SPI

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-02 07:04 AM
In response to Moudar

I would definitely examine phase 2 settings, because thats what those messages relate to.

Andy

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-12-02 07:29 AM
In response to Moudar

Try under vpn comm to change to per gateway or per subnet change between them to see if there is improvement 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-12-02 07:58 AM
In response to Lesley

I have now changed it to "per Gateway" and my gateway started to "key install" on the other side gateway, i will keep an eye on it and back tomorrow with some insights. We have many subnets behind every gateway so maybe this is a better choice.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-02 08:02 AM
In response to Moudar

Hey bro,

I always found that option useful for route based tunnels. Not sure if thats type of tunnel you have, but if it is, it will help, 100%.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events