For IPsec tunnel troubleshooting, after disabling the secureXL, when I run fwmonitor with src and dest IP address,what should I expect to see?
will I see both (i, I) and Both (o,O) for the traffic?
I always like to get packet captures without any filtering and I will filter later on in wireshark.
For R77.30 and lower versions, if you are filtering for the interesting traffic src and destination you suppose to see the clear packet in the following positions i I o and O you suppose to see the ESP packet which will have the public IPs of the endpoint of the vpn.
For R80.10 since Corexl Is enabled for VPN in fw monitor checkpoint introduced 2 other positions e and E. because the traffic will be sent to a core that handles the connecion after that it will be forwarded to another core to do the encryption
you suppose to see the clear packet in position i I o O e and you will see the esp packet at E position.
will I see "e" also ?
If you take a look on whole chain in your actual system, then you can se it is possible to run fw monitor on much more places then just default state.
Here is chain example (note - Acceleration enabled):
[Expert@FWHOST:0]# fw ctl chainin chain (15): 0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (in) (ipopt_strip) 1: - 2000000 (f544bb00) (00000003) vpn decrypt (vpn) 2: - 1fffffa (f5466460) (00000001) l2tp inbound (l2tp) 3: - 1fffff8 (f5b3aca0) (00000001) Stateless verifications (in) (asm) 4: - 1fffff2 (f54888f0) (00000003) vpn tagging inbound (tagging) 5: - 1fffff0 (f544a4a0) (00000003) vpn decrypt verify (vpn_ver) 6: - 1000000 (f5c0d820) (00000003) SecureXL conn sync (secxl_sync) 7: 0 (f5ad9390) (00000001) fw VM inbound (fw) 8: 2000000 (f5449a60) (00000003) vpn policy inbound (vpn_pol) 9: 10000000 (f5c18070) (00000003) SecureXL inbound (secxl) 10: 7f600000 (f5b2d990) (00000001) fw SCV inbound (scv) 11: 7f730000 (f5d40760) (00000001) passive streaming (in) (pass_str) 12: 7f750000 (f5f53920) (00000001) TCP streaming (in) (cpas) 13: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (in) (ipopt_res) 14: 7fb00000 (f633d240) (00000001) HA Forwarding (ha_for)out chain (13): 0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (out) (ipopt_strip) 1: - 1ffffff (f5449260) (00000003) vpn nat outbound (vpn_nat) 2: - 1fffff0 (f5f53bb0) (00000001) TCP streaming (out) (cpas) 3: - 1ffff50 (f5d40760) (00000001) passive streaming (out) (pass_str) 4: - 1ff0000 (f54888f0) (00000003) vpn tagging outbound (tagging) 5: - 1f00000 (f5b3aca0) (00000001) Stateless verifications (out) (asm) 6: 0 (f5ad9390) (00000001) fw VM outbound (fw) 7: 2000000 (f5449270) (00000003) vpn policy outbound (vpn_pol) 8: 10000000 (f5c18070) (00000003) SecureXL outbound (secxl) 9: 1ffffff0 (f54670d0) (00000001) l2tp outbound (l2tp) 10: 20000000 (f544c600) (00000003) vpn encrypt (vpn) 11: 7f700000 (f5f53df0) (00000001) TCP streaming post VM (cpas) 12: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (out) (ipopt_res)
SK for FW monitor is much more fine than in the past. So try to look there for examples and syntax - sk30583
Retrieving data ...