This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Filipe
Participant
‎2019-07-22 02:39 PM

Debug with ikeview

Hello folks,

 

I have a simple question, I need to troubleshooting one VPN site-to-site tunnel, it's safe to use ikeview tool to analyze the logs on a heavy (a lot of traffic and users) production firewall?

This tool does not have the ability to land a firewall (Stop working on debug mode)?

 

Thanks in advance guys

0 Kudos
6 Replies
Vladimir
Champion
Champion
‎2019-07-22 02:53 PM

IkeView is an offline viewer for the files generated with VPN debug and ike debug commands "vpn debug on" and "vpn debug ikeon" or a combo command "vpn debug trunc".

 

As per CP sk63560:

Warning: Part of this SK requires the performing of a Kernel Debug. Due to the potential for high load conditions and performance impact, up to and including Kernel Panic, it is not recommended to perform a kernel debug during normal Business hours. While a kernel panic is unlikely it is recommended to perform kernel debugs during a maintenance window where issues such as high loads and kernel panics can be addressed without negatively affecting production.

0 Kudos
Luis_Filipe
Participant
‎2019-07-23 01:51 AM
In response to Vladimir

Hi,

Sorry for the misunderstanding, what I meant to say is: it is safe to enable debug mode on a production firewall to analyze later with ikeview?

Thanks in advance.

0 Kudos
Vladimir
Champion
Champion
‎2019-07-23 05:11 AM
In response to Luis_Filipe

@Luis_Filipe , IMHO: nope, it is not safe to do it in production. It should be reserved for the situations when NOT doing it has worse consequences than those described in the "Warning" in my previous post.

I am sure that there are plenty of people here that may disagree with me though, and I would like for them to chime in here.

@PhoneBoy  @Danny , @HeikoAnkenbrand and @Timothy_Hall , please state your opinion on debugs in production and if you think that CP Warning is overblown.

Thanks,

Vladimir

PhoneBoy
Admin
Admin
‎2019-07-23 09:00 AM
In response to Vladimir

If a firewall is heavily loaded, adding debugging messages into the mix can definitely make things worse.
Kernel debugs in particular can be problematic, debugs of individual user processes, less so.
TAC may be able to suggest the "least impactful" way to debug the problem.
0 Kudos
Danny
Champion
Champion
‎2019-07-23 04:15 PM
In response to Vladimir

In such situations I quickly set up a another Check Point Security Gateway (VM), enabled SIC and VPN and troubleshooted the specific VPN tunnel on this gateway to make sure nothing is impacting production. After everything is clear I switched back the VPN tunnel to the main gateway and deleted the testing machine.

0 Kudos
Timothy_Hall
Champion
Champion
‎2019-07-23 06:52 AM
In response to Luis_Filipe

As long as you are doing "vpn debug" style commands and not kernel debugs (fw ctl debug) it is pretty safe as "vpn debug" is just switching on debugs in the vpnd daemon.  Even if there is a runaway debug it will not impact the bulk of traffic operations happening in the kernel including encrypt/decrypt operations for existing VPN tunnels.  If somehow vpnd crashes or becomes impaired new IKE negotiations cannot occur, and certain types of Remote Access VPN traffic (such as Visitor mode & NAT-T) will be impacted.  However vpnd is a child process of fwd who will instantly restart vpnd if it dies.

 

New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com