Overview:
From the Firewall: There are a couple of commands you can make directly on the firewall to test the phase1/2 status of the vpn.
vpn tu command: This command gives you a lot of visibility on the vpn. From the expert mode (not clish), run the command.
[Expert@checkpoint:0]# vpn tu
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
listing all ike SA's shows the following:
1
Peer 4.14.89.4 SAs:
1. IKE SA <29bfdbbf26cee51a,e684f1d233dc045>:
Peer 50.200.61.120 SAs:
1. IKE SA <c8d2d9a5f3192c7,b51033ad6186654>:
2. IKE SA <5c7ec4ace28db0d,b10e98d279a6992>:
3. IKE SA <10a309afa5e15df,011ef0e5015cba2>:
Peer 17.18.13.219 SAs:
1. IKE SA <1f17a73b70d995f,cd8aba08578192f0>:
2. IKE SA <119ee6119340c5e,768843785d00b8a9>:
Looking at the phase 2 status shows: 2
Peer 4.14.89.4 SAs:
1. SPI's related to IKE SA <29bfdbbf26cee51a,e684f1d233dc045>:
INBOUND:
1. 0x400fd
OUTBOUND:
1. 0xc88928a
View dropped connections: You can see all the dropped connections on the firewall with the fw ctl debug command. It will by default show you everything, so it's good to pipe the results to grep and search on just what you are interested in. In this case, we're filtering on the remote gateway and the errors we're seeing trying to connect to it. (are they dropping our connections?) Step 1: Open up a capture to see dropped packets: [Expert@LEX-CKP-FW2:0]# fw ctl zdebug + drop | grep 4.14.89.4
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 19.14.14.12:36700 -> 4.14.89.4:80 dropped by vpn_encrypt_chain Reason: No error;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 19.14.14.12:36700 -> 4.14.89.4:80 dropped by vpn_encrypt_chain Reason: No error;
Step 2: In another session, open up a connection to that open port to see what happens:
[Expert@checkpoint:0]# telnet 4.14.89.4 80
Trying 4.14.89.4...
telnet: connect to address 4.14.89.4: Connection timed out
Step 2 will fillout the data in step 1 and provide you with some good information on why the link is failing or if the port is blocked.
System Diagnostics, and port analysis: If you want to make sure that your physical medium is ok, or if anything else is going on with the hardware, simply run a cpview command Expert@LEX-CKP-FW2:0]# cpview
|------------------------------------------------------------------------------|
| CPVIEW.I/S.SXL 22Jul2016 10:47:34 |
|------------------------------------------------------------------------------|
| Overview SysInfo Traffic I/S Software-blades |
|------------------------------------------------------------------------------|
| CPU Memory SXL CoreXL Streaming RAD |
|------------------------------------------------------------------------------|
| Overview F2F-Reasons Drop-Reasons |
|------------------------------------------------------------------------------|
| Accelerated Path |
| |
| Accel packets 208 |
| Accel bytes 9,292 |
| Conns created 77,125 |
| Conns deleted 58,722 |
| C total conns 13,341 |
| C templates 0 |
| C TCP conns 11,200 |
| C delayed TCP conns 0 |
| C non TCP conns 2,141 |
| C delayed nonTCP conns 0 |
| Conns from templates 0 |
| Temporary conns 1,117 |
| NAT conns 66,113 |
| Dropped packets 1,352 |
| Dropped bytes 199KB |
| NAT templates 0 |
| Conns from NAT tmpl 0 |
| Port alloc templates 0 |
| Port alloc conns 0 |
| Conns auto expired 3,945 |
| ---------------------------------------------------------------------------- |
| Accelerated VPN Path |
| |
| C crypt conns 1,200 |
| Encrypted bytes 510MB |
| Decrypted bytes 130MB |
| ESP encrypted pkts 702,660 |
| ESP encrypted err 103 |
| ESP decrypted pkts 410,453 |
| ESP decrypted err 11 |
| ESP other err 0 |
| AH encrypted pkts 0 |
| AH encrypted err 0 |
| AH decrypted pkts 0 |
| AH decrypted err 0 |
|- More info available by scrolling down --------------------------------------|
From the NPM: SmartView Tracker: Within the SmartView Tracker, from the viewer, open up Network & Endpoint Queries, then Predefined, then Network Security Blades, IPsec VPN Blade, and VPN. From there you can create a filter that only reviews issues to the destination firewall. This will show you all the phase1/2 errors while the tunnel is being created.
References:
|
|
