Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Easy VPN Debug Tool

HeikoAnkenbrand
Champion Champion
Champion

evpdt123.JPG

CLI command

This tool creates a VPN debug with one cli command:

evpn -d                     -> Creates all VPN debug files ike.elg and vpnd.elg
evpn -d -m               -> Creates all VPN debug files ike.elg, vpnd.elg and a fw monitor capture file of all network packages

evpn -o                      -> Shows overlaped encdoms 'overlap_encdom'
evpn -r                      -> Shows vpn routes 'fw tab -t vpn_routing -u'
evpn -t                  

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




1 Solution

Accepted Solutions

HeikoAnkenbrand
Champion Champion
Champion

Hi @Nauuk_K,

The script executes the following vpn debug commands:

vpn debug trunc
vpn debug on
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5;

>>> Wait for the vpn error <<<

vpn debug off
vpn debug ikeoff
vpn debug truncoff;

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


6 Replies

Nauuk_K
Participant

Hi  @HeikoAnkenbrand,

What exactly does this script do?
So I don't have to type in all VPN debug commands anymore!

Am I getting this right?

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Nauuk_K,

The script executes the following vpn debug commands:

vpn debug trunc
vpn debug on
vpn debug ikeon
vpn debug on TDERROR_ALL_ALL=5;

>>> Wait for the vpn error <<<

vpn debug off
vpn debug ikeoff
vpn debug truncoff;

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


_Daniel_
Contributor

Great tool, I wonder in case we can add ikev2.xmll to the compressed file

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

O_H
Participant

👍

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Thomas_Eichelbu
Advisor

Hello Heiko, 

as always a wonderful tool.
but is there way to limot the debug to only ONE tunnel peer IP or community name ?

because this command offers an option "tunnel" 

vpn debug ?
Usage: vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [ -s size(Mb) ]| ike off | trunc [ DEBUG_TOPIC=level ] | truncon [ DEBUG_TOPIC=level ] | truncoff | ti meon [ SECONDS ] | timeoff | ikefail [ -s size(Mb) ]| mon | moff | say [ string ] | tunnel [ level ] >

what is | tunnel | supposed to mean?
can i filter t

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Timothy_Hall
Champion
Champion

Confining a vpnd debug to one tunnel or peer doesn't seem possible, the tunnel option you are referring to looks like it is just a shortcut to execute multiple debug commands (kind of like zdebug).  

If you are having problems with the vpnd.elg files rolling off before you can look at them, make sure you are only debugging IKE by just using the ikeon argument which is typically all that you need in most VPN troubleshooting scenarios.  Doing a vpn debug on enables IKE debugging but lots

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos