You are on page 1of 24

VPN TROUBLESHOOTING: REFFER: http://www.cpug.

org/forums/vpns-virtual-private-networks/4764-vpn-trouble-shooting.html Basics:
IKE negotiation consists of two phases - Phase I (Main mode which is six packets) and Phase II (Quick Mode which is three packets).

The $FWDIR/log/ike.elg file contains this information ( once

debugging is enabled).
;

To enable debugging, you need to login to your firewall and enter the command "vpn debug on
Check Point have a tool called

vpn debug ikeon" or "vpn debug trunc".

IKEView.exe which parses the information of ike.elg into a GUI making this easier to view.

Note that another useful tool is "vpn debug on mon" which writes all of the IKE captured data into a file ikemonitor.snoop which you can open with wireshark or ethereal.

PHASE1:
negotiates encryption methods (DES/3DES/AES etc), the key length, the hash Algorithm (MD5/SHA1) and creates a key to protect the messages of the exchange . It does this in 5 stages:
1. 2. 3. 4. 5. Peers Authenticate using Certificates or a pre-shared secret. Each peer generates a private Diffie-Hellman key from random bits and from that derives a DH public key. These are then exchanged. Each peer generates a shared secret from its private key and its peers public key, this is the DH key. The peers exchange DH Key material (random bits and mathematical data) and methods for PhaseII are agreed for encryption and integrity. Each side generates a symmetric key (based upon the DH key and key material exchanged ).

In IkeView under the IP address of the peer , open > "P1 Main Mode ==>" for outgoing or "P1 Main Mode <==" for incoming

the Main Mode Packet 1 - expand :

>MM Packet 1

>Security Association

>Prop1 PROTO_ISAKMP

>Tran1 KEY_IKE

proposed Encryption Algorithm, Key Length, Hash Algorithm, Authentication Method, DH Group, and SA renegotiation params (life type - usually secs and duration).
You should then be able see the

If your

encryption fails in Main Mode Packet 1, then you need to check your VPN communities.

Packet 2 ( MM Packet 2 in the trace ) is from the responder to agree on one encryption and hash algorithm Packets 3 and 4 arent usually used when troublshooting. They perform key exchanges and include a large number called a NONCE. The NONCE is a set of never before used random numbers sent to the other part, signed and returned to prove the parties identity. Packets 5 and 6 perform the authentication between the peers. The peers IP address shows in the ID field under MM packet 5. P acket 6 shows that the peer has agreed to the proposal and has authorised the host initiating the key exchange.

If your encryption fails in Main Mode Packet 5, then you need to check the authentication - Certificates or pre-shared secrets

Phase II –

IPSec Security Associations (SAs) are negotiated, the shared secret key material used for the SA is determined and there is an additional DH exchange.
Phase II failures are generally due to a misconfigured VPN domain.

Phase II occurs in 3 stages:

1. Peers exchange key material and agree encryption and integrity methods for IPSec. 2. The DH key is combined with the key material to produce the symmetrical IPSec key. 3. Symmetric IPSec keys are generated.

In IkeView under the IP address of the peer , expand > "P2 Quick Mode ==>" for outgoing or "P2 Quick Mode <==" for incoming

Quick Mode packet 1:

> QM Packet 1

> Security Association

> prop1 PROTO_IPSEC_ESP

> tran1 ESP_AES (for an AES encrypted tunnel)

You should be able to see the SA life Type, Duration, Authentication Alg, If your encryption fails here, it is one of the above Phase II settings that needs to be looked at. There are two ID feilds in a QM packet. Under

Encapsulation Mode and Key length .

> QM Packet 1

> ID You should be able to see the initiators

VPN Domain configuration including the type (ID_IPV4_ADDR_SUBNET) and data (ID Data field).

Under the second ID field you should be able to see the peers VPN Domain configuration. Packet 2 from the responder agrees to its own subnet or host ID, encryption and hash algorithm. Packet 3 completes the IKE negotiation. If all of this works without any errors, then you may have previously initiated an invalid tunnel previously. You can use the

VPN tunnel utility "vpn tu" to remove SA keys from the table.

A.

If there is any additional information regarding two other frequent problems – one way only traffic and tunnel disconnections?
One way only traffic is generally the result of one peer not having correctly established a security association. Most frequently this is due to the way in which Check Point combines adjacent IP address networks together into supernets. ie, if you have 192.168.0.0/24 and 192.168.1.0/24, Check Point will supernet this into 192.168.0.0/23. This is done to reduce the number of keys required and hence reduce the load on the VPN gateway. However, other VPN devices do not follow this methodology, so depending upon the version of VPN-1 you are using, you may need to set IKE_use_largest_possible_subnets or correctly configure the VPN communities tunnel management (one vpn per pair of hosts, per subnet pair or per gateway). See SecureKnowledgebase article Solution ID: #sk26336. Tunnel disconnections can be caused either a physical connectivity problem or routing problems or once again, a mismatch in the VPN security associations. Be particularly careful with VPNs to Cisco in this regards. Plenty of times I've seen people confused between seconds and minutes! I've also seen that sometimes the Cisco ends of VPNs dont want to reset the SAs when told to by the Check Point end. B. If there is any information regarding ike.elg + vpn.elg explanation. I familiar with the ike/ipsec processes but those 2 f iles are still no easy to understand (I know there is a tool called ikeview but I don’t work for organization considered as CSP so it’s seems like I’ll never put my hands on this tool) ?

From my answer above, you can see that my statement about "Most VPN debugging consists of looking at the IKE negotiation" to be true. And it is most unlikely that you will need to look into the vpnd.elg file. With respect to obtaining ikeview.exe.

IMPORTANT PATHS:
1.Where are database revision control files stored?

$FWDIR/conf/db_versions/repository/

Cisco ASA order of operations 1. FLOW-LOOKUP- This will check for existing connections. I a connection exists, the flow is automatically allowed 2. ROUTE-LOOKUP - This is the inbound route lookup which includes reverse patch, if enabled. 3. Inbound ACCESS-LIST- Checks for an interface ACL 4. CONN-SETTINGS - Application layer checks (Class maps) 5. IP-OPTIONS- RFC 791

168. or "Verifier warnings: A Cluster cannot be empty. It is also believed that migrated VPNS that were previously configured using the Advanced Tunnel Options retain their settings. and the unit is not passing traffic. How to determine the path and interface of a host on SPLAT [Expert@lab1]# ip route get 192. failed. Change ―Support Subnets for Key Exchange‖ to ―false”. •actNoFailover—Failover is not enabled.2(1)) command allows you to customize the hostname of the ASA to include dynamic elements.10 via 192. and the unit is actively passing traffic. 9. but new VPNs will not work. you have to change the following: $FWDIR/conf/Objects_5_0. •stby— Failover is enabled. #conf t (config)# management-access inside Step backwards for VPN supernetting in R71 It was recently brought to my attention that Checkpoint's infamous VPN supernetting in R71 can no longer be fixed by changing the VPN Advanced Tunnel Options to "1 VPN Per Pair of Hosts".168.ROUTE LOOKUP .6. prompt state will display the state of the firewall.1.168. It is believed that R75 has gone back to the use of the Advanced VPN Tunnel Options setting.19. for example: lab-dev-01# config t lab-dev-01 (config)# prompt state lab-dev-01/act(config)# •act—Failover is enabled.C file. As with R55.38 dev eth2 src 192.FLOW-CREATION 10. NAT 7. I would appreciate the input.Destination route lookup How to immediately know if you are logged into the active or standby firewal on ASA The prompt (introduced in 7. Outbound ACCESS-LIST (if an outbound access list exists on the egress interface). •stbyNoFailover—Failover is not enabled. At least one more interface must be configured for this object in order to use the Anti-Spoofing feature.168. It must have Cluster members" . and the unit is not passing traffic and is in a standby. Cluster cannot be empty" or "only one interface defined" error on Checkpoint R70 and R71 Checkpoint has confirmed that this is a bug that occurs occasionally when pushing policy to clusters. If anyone has any more information on this. Example: Firewall and Address Translation Policy Verification: Verifier warnings: There is only one interface defined for object .1 cache mtu 1500 advmss 1460 How to ping the inside interface of an ASA through a VPN tunnel This is typically used for testing VPNS.19. or other non-active state.1.1 192. This might happen when there is an interface failure above the threshold on the standby unit. and the unit is actively passing traffic.

560007 O 192. Example: PrimaryHA-fw1[admin]# tcpdump -i eth-s1p1c0 proto vrrp tcpdump: listening on eth-s4p2c0 00:46:11.399982 O 192.1. whenever the clock is set backwards. This is true even if the policy is not used. then OK on the Cluster object and Save.1 > 224. Also ensure that the vrid matches on both firewalls. and the packets are not seen by the other firewall. This error occurs because there is only a Base license installed on the ASA.1.0. open the cluster object for the gateway that you are pushing policy for. and go into the Topology. Checkpoint R71 bug that will cause migrations to fail Checkpoint has acknowledged that there is a bug in R71 that will cause any policy migrations from older versions to fail if there is a tilde (~) in the name of a policy being migrated.0. Everything you need to know about troubleshooting VRRP on Nokia Checkpoints VRRP failover happens when one of the following events takes place: -a monitored interface looses its link state -VRRP hello packets from the master not seen on the secondary device -a critical Checkpoint service or daemon fails to report its status. there could be a communication problem between the firewalls.18: VRRPv2-adver 20: vrid 100 pri 0 [tos 0xc0] If both firewalls are broadcasting vrrp.0. When a failure occurs.” Clish show vrrp This will show you which devices are in master and backup Example: PrimaryFW-A> sh vrrp VRRP State Flags: On 6 interface enabled 6 virtual routers configured 0 in Init state 0 in Backup state 6 in Master state PrimaryFW-A> PrimaryFW-A> exit Bye.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0] 00:46:12.To resolve the issue.168.1 > 224.1 > 224.168.0. If turned on.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0] 00:46:14. A base license will only allow 3 VLANS to be created. Therefore any policies with a tilde in the name should be renamed before migrating. Click OK. tcpdump -nni eth1 proto VRRP The packets will contain the vrid and priority.1 > 224. This requires FW Monitoring to be turned on in Voyager.168.379961 O 192.479985 O 192.1. PrimaryFW-A[admin]# SecondaryFW-B[admin]# iclid SecondaryFW-B> sh vrrp . VRRP multicast address is 224. ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured.0.0.168.0. the failed device sends out a priority 0 message on all good interfaces.0. Proper VRRP failovers usually only cause 1 or 2 packets lost .0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0] 00:46:13. This error will occur during the configuration of a ne wVLAN on an ASA 5505.18 To capture vrrp traffic in fw monitor: fw monitor -e “accept ip_p = 112. The error should go away.1. a failover will also occur.0. The license will need to be upgraded to a Security Plus license. This tells the secondary to take over.

to do this we will change ―/bin/cpshell‖ to ―/path/to/shell‖.log file and see if it's size is incrementing. Next. Locate the fw. the line yo u are looking for is ―testuser:x:0:0::/home/test:/bin/cpshell‖ 3. hello interval.VRRP State Flags: On 6 interface enabled 6 virtual routers configured 0 in Init state 4 in Backup state 2 in Master state SecondaryFW-B> SecondaryFW-B> exit show vrrp interfaces Detailed configuration of VRRP.cpstart step 4: netstat -an | grep 260 Creating a Read Only SPLAT user Creating a user 1.users. To resolve the issue. including priority. Find the line corresponding to the user you just created. there is also an option to fetch logs in Smartview Tracker (Tools>Remote Files Mgmt) Configuring SNMP on SPLAT step 1: service snmpd restart step 2: edit /etc/snmp/snmpd. . Once resolved. If that does not work. Change the users shell. Open the passwd file for editing by typing ―vi /etc/passwd‖ 2. go to $FWDIR/log. There may also be additional fw*. If you want to turn off: ipsctl -w net:log:sink:console 0 To change the timeout value of a monitored process: cphaprob -d [device] -t [timeout] -s [state] -p register Resolving local logging issues on Checkpoint If logs are not appearing in Smartview Tracker. If you have created a user with username ―testuser‖. This is a security risk. and VRID clish -c "show interfacemonitor" Displays interface transitions cphaprob -i list Displays Checkpoint critical processes and their timeouts. To log critical process failures: ipsctl -w net:log:partner:status:debug 1 That will log to the console and to /var/log/messages. first try restarting the MLM (in a Provider environment or the Log Services in a Smartcenter Server environment). The command should read ―adduser testuser‖ 3. you can pull the stored logs from the gateway by running "fw fetchlog " from the log server. In R70. it will use "private" as the community string. From the command line type ―adduser ‖.conf and replace public with your actual snmp community string step 3: service snmpd restart step 4: netstat -an | grep 161 for checkpoint snmpd port 260: step 1: modify the $FWDIR/conf/snmp. step 2: run sysconfig and start the checkpoint snmpd extension step 3: perform cpstop. To determine if logs are being stored locally on the gateway. here we will add the user with username testuser.log files that have rolled over. restart the firewall services on the gateway ( fw kill fwd followed by fwd). they are probably logging locally.C file and place the actual snmp community inside the read and write (). try restarting the firewall. If you leave the write empty. Input the desired password when prompted to do so Changing the users shell 1. SSH to the firewall where account will be setup on. 2.

mp3 . TCP 18186: SIC between OPSEC products and the gateway.1 host 192. code 0) denied due to NAT reverse path failure The other reason is if RPF checking is turned on and the source host comes in on an interface where a route is not defined for the host.25.1 and translated to 192.16.hide nat Example of this error: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows.1.168.1.net/cdc/security/tac/TACSecurityShow_episode_11.1 access-list policy_nat2 permit ip host 10. which will cause the firewall to examine the source IP of each packet.1. TCP 264: SC topology fetch.1.168. net topology fetch on older SC versions.1 when going to 172.168.1 host 192. Connection for icmp src outside:192.1.2 access-list policy_nat2 Cisco ASA Reverse Path Forwarding Reverse Path Forwarding RPF errors are typically NAT related (traffic is natted one way in one direction and another way in the other direction).168. TCP 4532: Session Auth agent TCP 18181: Content Vectoring Protocol TCP 18182: URL Filtering Protocol. TCP 18192: CPD monitoring Cisco ASA Policy Based Nat Example: Source address 10.1. This also adds a little additional overhead.1.1.outside) 172. To turn on interface RPF checking run the following interface config command: ip verify reverse-path interface outside Great Cisco TAC podcast on Anyconnect This podcast covers an overview of Anyconnect as well as some great troubleshooting procedures. TCP 18183: Suspecious Activity Monitoring for IPS.1.1.sh‖ Checkpoint port list TCP 256: CA and DH key exchange.16. Example: --->no nat <--. and port used to push policy to remote firewalls. TCP 18190: Gateway listens for management clients. TCP 18191: CPD process for communications such as policy installation and certificate revocation.1. http://cisco-podcast.28.1 should be translated to 192.1.streamguys.168.2 static (inside.2 access-list policy_nat1 permit ip host 10.16.16.1 access-list policy_nat1 static (inside.2 when going to 172. This type of RPF check must be configured on a per interface basis.12 (type 8. TCP 257: Logging TCP 258: Mgt console listens for remote GUI connections TCP 259: Client Auth via telnet UDP 259: manages encrypted sessions UDP 260: SNMP for the Checkpoint daemon TCP 262: Single Sign-on daemon.1.100 dst dmz:192.outside) 172. UDP 500: ISAKMP TCP 900: HTTP client auth.1.168.Before the change the line should read: ―testuser:x:0:0::/home/test:/bin/cpshell‖ After the change the line will read: ―testuser:x:0:0::/home/test:/etc/scripts/myshell.

18: VRRPv2-adver 20: vrid 103 pri 100 [tos 0xc0] Usefull Nokia IPSO Commands newimage -R -k -l ipso.18: VRRPv2-adver 20: vrid 102 pri 95 [tos 0xc0] Now you can see that the interface on both the primary and the secondary firewalls are broadcasting vrrp multicasts.0.544322 O 192. In another example you will see that the VRIDS dont match FW-1[admin]# tcpdump -i eth-s4p2c0 proto vrrp 00:46:11. This is because the vrrp multicasts are not reaching the firewalls interfaces.1.10.0. etc) voyager –e 0 80 resets voyager after a failed ssl config attempt dbpasswd admin -Changes the password from the command line ipsofwd on admin -turns on ip forwarding when firewall is stopped ipsofwd list -displays ipso properties (flowpath.2 > 224.18: VRRPv2-adver 20: vrid 103 pri 95 [tos 0xc0] 00:46:11.10.507294 O 192.0.168.2 > 224.1.0.18: VRRPv2-adver 20: vrid 102 pri 95 [tos 0xc0] 00:19:39.630075 I 10.206994 I 10.344334 O 192.tgz .0.2 > 224.168. This means there is a communication breakdown which can be possibly caused by network issues.374424 O 192.1 > 224.10.0. On the Primary: FW-1[admin]# tcpdump -i eth-s4p2c0 proto vrrp tcpdump: listening on eth-s4p2c0 00:46:11.18: VRRPv2-adver 20: vrid 102 pri 100 [tos 0xc0] Secondary: FW-1[admin]# tcpdump -i eth-s4p2c0 proto vrrp tcpdump: listening on eth-s4p2c0 00:19:38. etc) ipsofwd slowpath -turns off flows (flowpath turns back on) iclid -vrrp utility that shows status .0.10.168.2 > 224.Troubleshooting VRRP Check the status of the interfaces In this example. VPN accel driver.379961 O 192.1 > 224.show vrrp -iclid command that shows # of interfaces and their respective states .0.533454 O 192.0.10.0.18: VRRPv2-adver 20: vrid 102 pri 100 [tos 0xc0] FW-1[admin]# tcpdump -i eth-s4p2c0 proto vrrp 00:19:38. both firewalls believe that they are in a master state.get vrrp -shows iclid stats: active interfaces/checksum/version/id .install a new IPSO image newpkg –i installs software from given location (firewall software.18: VRRPv2-adver 20: vrid 102 pri 100 [tos 0xc0] 00:46:12.1 > 224. FW-1[admin]# iclid FW-1> sh vrrp VRRP State Flags: On 6 interface enabled 6 virtual routers configured 0 in Init state 0 in Backup state 6 in Master state FW-1> FW-1> exit FW-2[admin]# iclid FW-2> sh vrrp VRRP State Flags: On 6 interface enabled 6 virtual routers configured 0 in Init state 4 in Backup state 2 in Master state A TCPDUMP can confirm that VRRP packets are reaching each interface.0.168.0.18: VRRPv2-adver 20: vrid 102 pri 95 [tos 0xc0] 00:19:38.0.0.0.10.168.0.10.168.10.1 > 224.

Display SIC key: cp_conf sic get High Availabiliy: cphaprob stat -display HA status cphaprob -i -display HA interface stats cphastop/cphastart -stop/start HA View license key installed: cplic print Delete all active hosts: fw tab -t host_ip_addrs –x Common Clish commands on Nokia IPSO appliances ---setting default gateway set static-route default nexthop gateway address 192.' Manage VPN connections (view and delete): vpn tu Turn on debugging for VPN's: vpndebug on and vpn debug ikeon This will create 2 files in $FWDIR/logs.50 on ---Add proxy arp add arpproxy address 192.33.54/24 set interface eth1c0 enable ---VRRP set vrrp accept-connections on set vrrp coldstart-delay 60 set set set set set set set set vrrp vrrp vrrp vrrp vrrp vrrp vrrp vrrp interface interface interface interface interface interface interface interface eth1c0 eth1c0 eth1c0 eth1c0 eth1c0 eth1c0 eth1c0 eth1c0 monitored-circuit monitored-circuit monitored-circuit monitored-circuit monitored-circuit monitored-circuit monitored-circuit monitored-circuit vrid vrid vrid vrid vrid vrid vrid vrid 54 54 54 54 54 54 54 54 monitored-interface eth2c0 on monitored-interface eth2c0 priority-delta 10 monitored-interface eth3c0 on monitored-interface eth3c0 priority-delta 10 priority 100 hello-interval 1 vmac-mode default-vmac backup-address 192.elg (this can be viewed on the firewall using cat.76.1 on ---Set ntp servers .2 priority 1 on ---adding static routes set static-route 172.150/32 nexthop gateway address 192.168. and disk usage: fw ctl pstat Delete all hosts from the connections table: fw tab -t host_ip_addrs –x Display logs on the firewall for a specific IP: fw log –n –ft | grep Troubleshoot source/destination access issues: fw monitor -m iIOo -e 'accept src=10. you are in the IPSO shell.29. Click here to read my ikeview guide). and ike.82. After logging in. Usefull Checkpoint Commands o view the active connections table: fw tab -t host_table –s To pull the latest policy from the management station: f w fetch Display the name of the policy installed and the date it was received: fw stat View the Checkpoint version installed: fw ver Display cpu. vpnd.124.elg (this is the bread and butter of Checkpoint VPN troubleshooting.-show vrrp interface -displays interface stats for VRRP boot –s {from > prompt at boot time) boots into single-user mode Nokia IPSO has 2 shells.76. IPSO and Clish.29.56 macaddress 0:a0:8e:7d:13:d0 add arpproxy address 192.168.57 macaddress 0:a0:8e:7d:13:d0 ---Add an interface set interface eth1 speed 100M duplex full active on add interface eth1c0 address 192.82 and dst=10.168.23. To enter the Clish shell.168.33.29. It will show highlevel VPN connection information).29. type " clish" To remove old config: Either rm /active/config or config/active depending on version. memory.29.168.168.29.

obtains the CA's public certificate.1. ESP communicates over IP 50 and provides the same service as AH in addition to providing data confidentiality by encrypting the original payload and encapsulating the packet. ISAKMP defines the procedures and packet formats used to establish. The SA represents a unidirectional instance of a security policy for a given connection.2 version 3 prefer yes add ntp server 10. but does not provide confidentiality." To boot an IP500 or higher into single user mode. and it is transmitted. Change Password in IPSO 3. Cisco IOS software checks to see if certification authority (CA) has been configured to establish an IKE policy. defined in RFC 2401. Each device must agree on the policies or rules of the conversation by negotiating these policies with their potential peers. This is a quick overview of IPSEC and is by no means a complete detailed guide. AH communicates over IP 51 and provides data authentication. Type " reboot" to boot into multi-user mode. Step 2 Cisco IOS software checks to see if IPSec SAs have been established.1. you first need a security association. and SKEME).1 version 3 prefer yes ---Setting Time zone set date timezone-city "Greenwich (GMT)" ---Add hostname set hostname testbox ---Add Host address assignments add host name testbox ipv4 192. the router uses public and private keys previously configured..----------pk#3---DH Exchange--------> <-------pk#4---DH Exchange---------. Step 3 If the SA has already been established by manual configuration using the crypto ipsec transform-set and crypto map commands or has been previously set up by IKE. Key Management (ISAKMP. SA‘s (Security Associations): In order to have an IPSEC conversation. first restart the box. IPSEC consists of Security Protocols (AH and ESP). IPSEC is a suite of protocols. Then you will see a "Type any character to enter command mode.29. integrity.54 Nokia IPSO Password reset Boot the Nokia device into single user mode To boot an IP440 into single user mode first restart the box.1. go into voyager and change to a permanent password. When it boots into single user mode it will ask for the shell. gets a certificate for its own public key. just press "enter" to accept the default "sh. To boot at IP300 device into single user mode. It is important to understand that AH encapsulates the IP packet but does not encrypt it. first restart the box. AES256. Step 7 If CA authentication is configured with the various crypto ca commands." You now have 5 seconds to press any key.5 and Higher Run "/etc/overpw" from the single user shell and follow the prompts to change the password. Step 6 If the IKE SA has not been set up. negotiate. Security Protocols consist of AH (Authentication Header) and ESP (Encapsulating Security Payload). and Algorithms (3DES. the packet is encrypted by IPSec. and replay protection (for man in the middle attacks).---Responder------------pk#1—Policy Proposal------> <-------pk#2---Policy Accept/Reject-. Cisco IOS software checks to see if an IKE SA has been configured and set up. Step 4 If the SA has not been established. etc). ISAKMP communicates over UDP 500. the IKE SA governs negotiation of the IPSec SA as specified in the IKE policy configured by the crypto isakmp policy command.1. that is used to protect information as it travels from one private network to another private network over a public network. the packet is encrypted based on the policy specified in the crypto map and is transmitted out of the interface. IKE. Step 5 If the IKE SA has been set up. and then uses the key to negotiate an IKE SA.168. Main mode IPSEC packet exchange: --Initiator--. After pressing any key type "boot -s" to enter single user mode. Type any character to enter command mode.add ntp server 10.----------pk#5---ID/Hash-------------> <------pk#6---ID/Hash---------------> Packet handling order: Step 1 Access lists applied to an interface and crypto map are used by Cisco IOS software to select interesting traffic to be encrypted.0 VPN Troubleshooting Quick overview of IPSEC It is important to understand how IPSEC works in order to understand how to troubleshoot a VPN connection. and modify Security Associations. When you will see the prompt "E ntering autoboot mode." You have 5 seconds to press any key. which in turn is used to establish an IPSec . When you see the " boot:" prompt enter "-s" and press "enter" within 10 seconds. Cisco VPN Troubleshooting Guide Cisco PIX 7. When you see the prompt "Verifying DMI Pool Data" press the number 1.

y.1. More specific information can be found by running a debug(discussed later).y.168.49.11. IKMP_NO_ERROR_NO_TRANS indicates a matching transform set was not found No Proposal Chosen=isakmp policy mismatch syslog sample of a completed connection: Mar 10 2008 18:47:05: %PIX-3-713119: Group = y. The debug crypto isakmp 5 command will display real time information on every step of the Phase I connection. Oakley proposal is acceptable This indicates Phase I has completed. Please note that you cannot limit the debug output to a specific tunnel.250. use the clear crypto isakmp command..y.600 IP = y.168.11. Capture cap1 access-list capture1 interface outside Next display the results of the capture. Configuring Phase 1: The first 2 octets of IPs have been replaced with "y. Intf 2. OAK_MM_KEY_AUTH The ISAKMP SA has been authenticated. Oakley begin quick mode The following indicates that the remote gateway has indicated that none of the policies are acceptable. Debug level 5 should be sufficient for most troubleshooting however level 7 provides more detailed information if necessary. refer to the table below to find out exactly what state the Phase I connection is currently in.y. Received an un-encrypted NO_PROPOSAL_CHOSEN notify message. State Description OAK_MM_No_STATE This is the initial state of Phase I.41. OAK_MM_KEY_EXCH The peers have exchanged DH public keys and have generated a shared secret.41.SA to encrypt and transmit the packet.1.y. a capture can be created for all UDP 500 traffic.49. A state of MM_Active indicates that Phase I was successfully completed.50 > 192.49 IKE Initiator: New Phase 1.138. If you see Phase I In this state for longer than a few seconds. IP=y. MM_WAIT_MSG The firewall is waiting on the remote end device to respond with DH and public key. configured ISAKMP policies will be tried one at a time until a match is found. Phase I will be in this state after packet 1 and packet 2 exchange of the Main Mode negotiation (see above). IKE Peer The following indicates that the IKE Phase I policy was accepted by the remote gateway.y. 58534 02/27/2004 07:42:38.11.284897 192.49. To view a specific ISAKMP policy type show run isakmp | grep show vpn-sessiondb detail l2l Show crypto isakmp sa detail – This command will display the state of Phase I of the IPSEC tunnel. First create an access-list for the traffic you would like to capture. 5|Oct 02 2006 09:41:41|713904: IP = y. If Phase I does not complete.11. dropping To clear the Security Associations related to Phase 1. Access-list capture1 permit udp any any eq 500 Next create a capture. OAK_MM_SA_SETUP The peers have agreed on parameters for the ISAKMP SA. 58534 02/27/2004 07:42:38.12. IP = y.y.y.1: UDP:500 . Example of an ISAKMP policy: #isakmp policy 20 authentication pre-share #isakmp policy 20 encryption 3des #isakmp policy 20 hash md5 #isakmp policy 20 group 2 #isakmp policy 20 lifetime 43200 Troubleshooting Phase I: Check the syslogs Show run isakmp This will show the isakmp policies for all VPN connections. PHASE 1 COMPLETED Sample Debug output: The following shows the initiation of the first packet for an IPSEC tunnel." Phase I is not configured on a per connection basis. When a Phase I connection is being established. 58534 02/27/2004 07:42:38.600 SEV=4 IKE/41 RPT=8619 y. This will clear ALL of the SA‘s c urrently built on this firewall.600 Group= y.250. Show capture cap1 detail ciscoasa#show capture cap1 detail 1: 13:04:06. To confirm that the IPSEC packets are reaching the firewall. This will give you an indication of where the problem has occurred. this is an indication that a failure of tunnel establishment for Phase I has occurred.

During the IPSec security association negotiation with ISAKMP.This command shows the output of the IPSEC SA‘s. and traffic is being initiated from the remote side. If the desired transform set has not been previously defined. Troubleshooting Phase II: Check syslogs Show crypto ipsec sa. #pkts encrypt: 5.255.: x. A tunnel group is used to identify specific connection parameters and the definition of a group policy.160.255/0/0) current_peer: y. You can create multiple transform sets. and then specify one or more of these transform sets in a crypto map entry. Example: #(config)crypto map mymap 10 match address tunnel1 #(config)crypto map mymap 10 set peer y. remote crypto endpt. The default tunnel groups are DefaultRAGroup (used for Remote Access tunnels) and DefaultL2Lgroup(used for IPSEc Lan-to-Lan tunnels).0 255. The crypto map must be assigned a unique map id #.255.191. Tunnel.2 5.155.0 host 10.12 If port filtering is being used.227. Example: #(config)crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac An access-list is used to define the ―interesting traffic‖ or the traffic that should b e encrypted and allowed through the VPN Tunnel. Example: #(config) access-list tunnel1 extended permit ip y. local crypto endpt.y.4. The SA will include the ip address of the local and remote endpoints.136 Encrypts indicate that this side is encrypting and sending traffic. #pkts encaps: 5.View capture on web https://capture/pcap/cap1 View pre-shared keys: more system:running-config Configuring Phase 2: A transform set combines encryption method and authentication method. local addr: x.1 #(config)crypto map mymap 10 set transform-set 3desmd5 Nat considerations: If a local address is going to be natted outbound.y. #pkts decomp failed: 0 #send errors: 0. debug crypto engine—Displays the traffic that is encrypted.25.x. #pkts comp failed: 0.1 type IPsec_l2l #(config)tunnel-group y.254.190. Example of an IPSEC SA: This shows the crypto map used for this connection.: y.80/255. inbound esp sas: spi: 0x9D111D2A (2635144490) transform: esp-aes-256 esp-sha-hmac none in use settings ={L2L. crypto-map: vpn_map sa timing: remaining key lifetime (kB/sec): (4275000/28789) IV size: 16 bytes replay detection support: Y outbound esp sas: ..y.0/255. #pkts verify: 0 #pkts compressed: 0.y.0 host y.45.80 local ident (addr/mask/prot/port): (x.x. The access-list should always be defined from local to remote. key lifetime.255. Decrypts indicates that the other side is sending traffic.255. conn_id: 317225. } slot: 0.0/0/0) remote ident (addr/mask/prot/port): (10. Crypto map tag: vpn_map. #recv errors: 0 This lists the local and remote endpoints. access-list VPN-CIDS704976 permit ip x. The transform set must be the same for both peers.x. the peers agree to use a particular transform set to protect a particular data flow.y. #pkts decompressed: 0 #pkts not compressed: 5.. the crypto ipsec transform-set command is used to create it.190.x.y. This is where the peer defined in the tunnel-group command is tied to the access-list and transform-set. seq num: 130. You can view previously created transform sets by typing the show crypto ipsec transform-set command.y.155. and # of packet encrypt/decrypts.155. #pkts digest: 5 #pkts decaps: 0. the crypto acl should use the outside ip address.160. To view the previously used crypto map id numbers run the show ru crypto command.255.255.136 path mtu 1500. The subnet sizes need to match on the remote gateway. transform set (what encryption and hash is being used). Example: #(config)tunnel-group y. PFS Group 5.227. encryp tion domains (interesting traffic).1 ipsec-attributes #(config-attributes) pre-shared-key abc123 The crypto map ties together several components that define the VPN tunnel.4. #pkts decrypt: 0.0 255.45 The following line shows the crypto acl that includes the traffic to be protected.254.155. media mtu 1500 current outbound spi: 2AFEA5C7 There is a separate sa for inbound and outbound. ipsec overhead 74. the destination port of the remote host must be the source port of the local matching acl.

160.63.500 Group = 172.43. etc.255 Jan 26 2009 18:57:54: %ASA-6-713213: Group = y. The decapsulated inner packet doesn't match the negotiated policy in the SA.92 Transmitting Proxy Id: Remote host: 192. These tables hold all state information on the firewall. debug crypto ipsec—Displays the IPSec negotiations of phase 2. Connection landed on tunnel_group y.12.y.y. This could i ndicate a pre-shared key mismatch.1.255.172.255.240/0/0 and its remote_proxy as y.250.194. } slot: 0. No Valid SA/ Identity mismatch – Transform set or crypto acl Sample Debug output: The following shows that the tunnel group configuration was found.1.8.51. mess id 0x518e80d)! QM FSM is a generic message indicating that the phase II connection was rejected by the remote peer.y.205.255. This indicated that the remote peer is natting: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x72DEC2AA. IP = y.172. ACL does not match proxy IDs src:192.12. address: 192.63. IP =y.178) to y.1 Protocol 0 Port 0 Local host: 10. Received an un-encrypted PAYLOAD_MALFORMED notify message.16.172.255.178.63.0 PFS mismatch: 713068: Group – 172.1. IP = 172.63.5.205. IP = 172.205.51. conn_id: 317225. mask: 255.41. 1949 11/29/2001 16:20:18.172.172.43.16.y43. PFS Group 5. mask: 255.255.y.spi: 0x2AFEA5C7 (721331655) transform: esp-aes-256 esp-sha-hmac none in use settings ={L2L.y.205.2.63.172.16/255.172. Local peer reports the following: 713902.9 Protocol 0 Port 0 Completion of Phase II. sequence number= 0x41) from y. including connections. The packet specifies its destination as y.16. dropping.83.83. and its protocol as 1.1 Error processing payload.1. address: 192. Group = 10. IP = y. The SA specifies its local proxy as y. dropping 713048: IP = 10. Outbound SPI = 0xb17718a5 Mar 10 2008 18:47:05: %PIX-5-713120: Group = y.63. crypto-map: vpn_map sa timing: remaining key lifetime (kB/sec): (4274999/28789) IV size: 16 bytes replay detection support: Y Clear crypto ipsec sa peer will clear the Phase 2 SA‘s for a given peer.5.10.500 SEV=7 IKEDBG/0 RPT=546 y. Tunnel. February 28.12. seq = 10. VPNS.255.160.160.168.y.168.16. Deleting static route for L2L peer that came in on a dynamic map. QM FSM error (p2 struct &0x296fde8. Adding static route for L2L peer coming in on a dynamic map.0 dst:192. IP = y.500 Group = y. its source as y.10.y.0/255.16.63.64.194..y.y.168. 1754 11/29/2001 16:20:18.500 Group = 172. Inbound SPI = 0x11a56495.92.1.28.28. Pre-shared key mismatch reported by the report peer(receiving peer): :713903: Group = 172. nats.y.y.0/0/0.28.8. Received non-rouing Notify message.63.500 Group =y.92 Sample syslog errors: This shows interesting traffic ACL getting exchanged. Received non-routine Notify message: No Proposal Chosen Transform-set mismatch on remote peer(receiving peer): 713904‖ IP = 10. IP = y.41. 1754 11/29/2001 16:20:18.250.y.y. 1754 11/29/2001 16:20:18. Static Crypto Map check. 1754 11/29/2001 16:20:18.63. .540 SEV=4 IKE/49 RPT=3 y.y43.178 (user= y. Received encrypted packet with no matching SA.y.160. PHASE 2 COMPLETED (msgid=0f78e513) Pre-shared key mismatch.y. map = mymap.16.y. Oct 26 15:42:43 [IKEv1]: IP =y. Payload ID 1 The following indicates that the remote gateway is not finding matching interesting traffic.1 ERROR.168.168. No Proposal chosen (14) PFS turned on on the remote peer. 1754 11/29/2001 16:20:18. Received non-routing Notify message: Invalid ID info (18) The following indicates that the local gateway is not finding matching interesting traffic.1.92 Security negotiation complete Responder. peer has indicated that something is wrong with our message.172.51.255. 2009 Checkpoint Tables and the FW Tab Command The fw tab command displays the contents of the INSPECT tables. Transform-set mismatch.255. IP = 172.1.16.y.1.255 Saturday.y. When reverse route is turned on: Jan 26 2009 18:15:07: %ASA-6-713211: Group =y.1.y.

<!--[if !supportLists]-->3. limit 25000. The fwx_alloc table uses the following formats. next high port to be allocated> The first field is a space holder and is always 0. first high port used. <!--[endif]-->MAC address of gateway machine interface that will answer ARP requests for the IP address. expires never. limit 25000. The maximum number of entries in this table is the licensed number of internal machines. hiding IP address. arp_table The arp_table holds the IP addresses for which the machine is willing to proxy ARP.arp . The first high port to be used is always 10000. The table only exists where the VPN-1/FireWall-1 license is limited. If IP addresses that the machine is to resolve are specified in local.The following options are commonly used: -s provides a summary the tables -t tname only displays the requested table -x tname delete all entries in the specified table -d debug mode -all all tables Useful tables: host_table This host_table holds the IP addresses of internal machines protected by the VPN-1/FireWall-1 NG Enforcement Module. fwx_alloc The fwx_alloc table holds information about the allocation of ports for the translated packets. fwx_cntl_dyn_tab The fwx_cntl_dyn_tab table holds information about the allocated IP addresses from the IP Pool of the Enforcement Module. so that the Security Server will know the original destination IP and port of the connection.> 00000001. Entry format: <!--[if !supportLists]-->1. EXAMPLE attributes: keep. <!--[endif]-->Name of the gateway interface that will proxy ARP for IP addresses. <!--[if !supportLists]-->2. hashsize 512. 00000e10. 00000017. First entry: < 0. <!--[endif]-->IP address (name resolving may occur). free function 40550248 0 <0a010104. The automatic ARP feature also uses this table to cause the machine to resolve translated IP addresses. 286/300> sam_blocked_ips . and the connections using the IP addresses. 000000c3> fwx_auth The fwx_auth table holds the original information of a folded connection. <!--[endif]-->Interface name (optional). EXAMPLE attributes: expires 300. <!--[if !supportLists]-->4. this table can be used to check that the IP addresses were correctly specified. Proxy ARP is sometimes required when using NAT. keep c7cb47e3. IP protocol. refresh.

hashsize 512 <05050505. ATTRIBUTES expires limit sync keep hashsize 512 kbuf 1 3600 25000 . which negotiated the key exchange with a trusted peer. IKE daemon tries to use previously negotiated IKE SA. COUNT_HOST records each packet that comes from the internal interface in a table until the limit is exceeded IKE_SA_table IKE SAs are stored in IKE_SA_table . The number of hosts can be set to unlimited. This limitation is enforced in the Inspect code using the macro COUNT_HOST . EXAMPLE -------. This table is accessed from the VPN kernel.sam_blocked_ips --------dynamic. 00000000> host_ip_addrs The host_ip_addrs table contains the list of IP addresses in the VPN-1/FireWall-1 NG Enforcement Module. The fwz_crypt_pending table is dynamic. <!--[if !supportLists]--> <!--[endif]-->Table entries are used to conduct IKE Quick Mode negotiation of IPSEC_SA . with a requests counter for each prototype of filter that is enforced over each certain IP and network address. <!--[if !supportLists]--> <!--[endif]-->The IKE_SA_table is dynamic. limit 25000. and the VPN daemon. 00000000. This table also passes error messages. The table entries have four possible formats: <!--[if !supportLists]--> <!--[endif]-->The top two formats are only used on SecuRemote. <!--[if !supportLists]--> <!--[endif]-->Format 1 is used to store and retrieve the latest IKE SA. limit 25000.All IP and network addresses that were stipulated in SAM requests. EXAMPLE attributes: keep. fwx_ip_lookup_tab The fwx_ip_lookup_tab table holds information used for IP Pool allocation queries. attributes: keep. forbidden_tab Each embedded VPN-1/FireWall-1 system has a feature that indicates how many hosts can be located ‗behind‘ it. are shown in sam_blocked_ips . hashsize 512 fwz_crypt_pending The fwz_crypt_pending table is used to record a possibly encrypted connection that should obtain their encryption/decryption key. Note the overshadowed requests are also accounted for.> 00000000. <!--[if !supportLists]--> <!--[endif]-->Entries are extracted from this table when the vpn daemon is trapped for IPSEC_SA renewal. id 8141. if present. <!--[if !supportLists]--> <!--[endif]-->All non-expired SAs are stored using format 2. The kernel can obtain a new key from this table stored by the daemon.

0 192.168.168. The full output of the command came out to over 300 pages in MS WORD in 11 font.xml tunnel-group-list enable enable outside svc enable exit ip local pool SSLClientPool 192. INITIATOR).255.255.1.pkg 1 ! this is a customerized vpn profile. if client does not needed.168.255.1. limit 25000.168. kbuf 1. expires 3600. host byte order responder cookie (8 bytes).255. you need to notify the client for this license limitation Viewing all hidden commands on a Cisco ASA The "show parser dump all" command will display all valid commands.168. . sync.0 access-list vpnssl-split extended permit ip 192.168.255.IKE_SA_table -------dynamic. host byte order VALUES IKE_SA Flags kbuf A kbuf storing the fwisakmp_sa structure.0 255.61 address-pools value SSLClientPool split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnssl-split webvpn vpn-tunnel-protocol svc svc keep-installer installed !svc profiles value VitalProf exit sysopt connection permit-vpn tunnel-group SSLClientProfile type remote-access tunnel-group SSLClientProfile general-attributes default-group-policy SSLCLientPolicy tunnel-group SSLClientProfile webvpn-attributes group-alias SSLVPNClient enable exit wr mem wr stand debug command sh vpn-sessiondb svc.KEYS PeerAddress ipaddr Me CookieI CookieR ipaddr u_long [2] u_long [2] IKE peer address. uint currently only 2 flags are defined: (PEER_MOBILE. free function Cisco Anyconnect sample config config t webvpn svc image disk0:/anyconnect-win-2. you can remove the following line using cisco default ! svc profiles VitalProf disk0:/vpn-vig-tdc.5.0 192. attributes: keep.168.100.168.100. including undocumented commands. if initiator or responder initiator cookie (8 bytes).51 192.50 mask 255. hashsize 512.0 255. field is used to prevent using an old IKE SA negotiated before SecuRemote obtained a new IP address.61 wins-server value 192.0343-k9. used so Enforcement Module does not need to retrieve the whole kbuf from the kernel if we only want to know if this SA was established with a mobile user RenegotiationTime uint renegotiation time of the SA EXAMPLE -------.1-192. the default license for asa for web vpn or ssl vpn is only 2.5.255.255.255.51 192.0 nat (inside) 0 access-list NONAT username userA password test123 username userA attributes service-type remote-access exit username userB password test12345 username userB attributes service-type remote-access exit group-policy SSLCLientPolicy internal group-policy SSLCLientPolicy attributes dns-server value 192.255.0.0 255.1.1.0 255. on SecuRemote it is the IP address used by SecuRemote when it negotiated this IKE SA. please be noticed.255.168.168.100.0 access-list NONAT extended permit ip 192.100. id 77.

First ensure that both ends of the VPN are defined with the same encryption domain. Check Point would attempt to negotiate an IPSec SA with 192.168. you should create objects that are exactly the same size as what is created on the remote end.netleets.1.com/search/label/tcpdump Encryption Failure: Packet Is Dropped as There Is No Valid SA You might see this error message when both ends of the VPN do not have the same definition for the encryption domain.168.168. If they are the same.1 and earlier did not is the automatic simplification of subnets in IPSec SAs.2 for details on editing objects_5_0.0/24.0. One annoying behavior FireWall-1 NG exhibits that FireWall-1 4. use dbedit to make the following changes on your management console (see FAQ 4. if your encryption domain contains explicit objects for 192.0/24 and 192.0.C): dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false dbedit> update properties firewall_properties You must then reload the security policy for this change to take effect.A few examples of hidden VPN commands are as follows: clear/show ipsec sa counters clear/show crypto ipsec sa map clear/show crypto protocol statistics ssl clear/show crypto protocol statistics ssh clear/show crypto protocol statistics srtp clear/show crypto protocol statistics other clear/show crypto protocol statistics all clear/show vpn-sessiondb statistics clear/show vpn-sessiondb statistics debug vpnlb debug vpn-sessiondb debug crypto isakmp timers debug crypto ca messages debug crypto condition peer subnet debug crypto condition peer subnet debug crypto condition peer debug debug debug debug crypto crypto crypto crypto condition condition condition condition user unmatched isakmp error ipsec error isakmp http://www.0/23 instead of generating SAs based on the network objects you created. To eliminate this behavior. . For example.

As a result. 1. Why are the logs not being displayed within SmartView tracker ? Ok so the manager is receiving the logs but you may still not see them within the SmartView tracker this will be down to either the FWD (Firewall Daemon) or the log files being corrupted. Log Files Corrupted If the log files are corrupted you should expect to see no logs within the SmartView Tracker. tcpdump -ni [interface name] port 257 .C to false. When you enable debugging. When the IPSec headers are added to the already large packet. You can also disable it with vpn debug ikeoff. Close the Log Viewer/SmartView Tracker and Policy Editor/SmartDashboard. To do this use either or both of the following commands. you can use the GUIdbedit tool to change the parameter. netstat -an | grep 257 . Unfortunately. In FireWall-1 4. This file is a little difficult to read on its own. you can enable this on the firewall module with a simple command: vpn debug ikeon.VPN Fails When Transferring Large Packets Some applications set the Don't Fragment bit on certain packets. Though the root cause could be down to a number of factors. $FWDIR/log/ike. Either way. 3. so first of all are the logs being sent to the Smart Centre Manager or the necessary Log Manager ? We can check this by confirming whether the gateway is sending the log packets via the FW Log port tcp/257 upon the gateway and the manager. the packet requires fragmentation in order to pass through the firewall. it is available only to Check Point Certified Service Partners. One way to debug is to turn on IKE debugging. When Check Point creates the IPSec packet. 2.elg gets created. Debugging Interoperability Issues with IKE Everyone has a different interpretation about how to follow standards. communication doesn't always work. There is an issue with FWD on the gateway.This will show a packet capture of the FW Log packets on the subsequent interface. Check Point has a tool called IKEView that allows you to view this file in a more readable form. You can force FireWall-1 to clear the Don't Fragment bit by changing the ipsec_dont_fragment property in objects_5_0. 4. If this is the case you will need to action the following steps : 1. You can do this with the following commands in dbedit on the management console (craig is the firewall in this example): dbedit> modify network_objects craig VPN:ipsec_dont_fragment false dbedit> update network_objects craig Alternatively. This file contains the results of all IKE negotiations that occur. when third-party products talk to one another. SIC is not established. The Logging configuration for the Gateway is not configured correctly. so it cannot be fragmented and thus gets dropped at the next router. you must then reinstall the security policy for this change to take effect. it was necessary to stop and restart FireWall-1 in order to enable debugging. Check Point Logging Troubleshooting Guide Are the logs being sent to the manager? Ok. Fortunately. .1. FireWall-1 creates a fragmented packet that has the Don't Fragment bit set. In NG.This will show the state of the TCP sockets. If the gateway is not sending the logs then this can be down to one of the following issues. The SmartCentre/Log Manager is not listening on port tcp/257. In some instances you may need to restart FWD via a cpstart. the Don't Fragment bit from the original packet is maintained.

xx . 3. Remove all files starting with fw. To confirm the issue you will need to debug FWD using the following steps. Both Synchronization and Filter were stuck in an initilizing state.xx.xx.O=cp-mgnt. root@cp-mgnt# fw debug fwd on TDERROR_ALL_ALL=5 root@cp-mgnt# tail -f $FWDIR/log/fwd. Then we run a live tail on the log file. 6.bizt7z In this instance resetting SIC would resolve this issue Troubleshooting Checkpoint ClusterXL I recently came across an issue where SmartView Monitor showed an error for ClusterXL on a freshly rebuilt Checkpoint IP565 firewall. cphastop followed by cphastart cpstop followed by cpstart reboot of the affected firewall On digging deeper we noticed that one of the firewall devices was configured to use multicast and one for broadcast cluster communications. this was identified using the following command ' cphaprob -a if' which presents the following output: eth-s1p3c0 non sync(non secured) eth-s4p3c0 non sync(non secured) eth-s4p4c0 non sync(non secured) eth-s1p1c0 non sync(non secured) eth-s1p4c0 sync(secured). multicast eth-s1p2c0 non sync(non secured) eth-s4p1c0 non sync(non secured) eth-s4p2c0 non sync(non secured) Virtual cluster interfaces: 7 eth-s1p3c0 xx. We finally turn off the debug. And then we run a grep on the live tail for a specific error. [FWD 2177 1]@cp-mgnt[22 Jan 14:47:32] fwCert_ValCerts: Certificate is revoked.elg.xx eth-s4p3c0 xx. CN=cp-fw1.elg | grep -i "Certificate is revoked" root@cp-mgnt# fw debug fwd off Within these steps we first enable the debug. Only some of the logs are not being displayed If only some of the logs are not being displayed then this could point to an issue with the trust between the manager and the gateway..O=cp-mgnt.log and fw.xx. The live tail allows us to view the end of the log file in real time.2. 7.xx. Below shows an example of an error with the SIC trust between the Gateway and Manager obtained from the $FWDIR/log/fwd. 4. we tried the following troubleshooting steps initially to no avail: 5.bizt7z [FWD 2177 1]@cp-mgnt[22 Jan 14:47:41] fwCert_ValCerts: Certificate is revoked.elg root@cp-mgnt# tail -f $FWDIR/log/fwd.. Full details can be found at Check Points KB within Solution ID sk6432.logptr from the $FWDIR\log directory. Execute the fwstart or cpstart (depending on the version) command. Execute the fwstop or cpstop command (depending on the version) from the command line. CN=cp-fw2.

Push policy from the SmartDashboard After performing thse steps the cluster CCP was back to multicast (bizare really. This command failed to change the method of communication and left us with no other option than to perform the following steps: 1. Re-install HFA 70 4. at which point both nodes of the cluster reported no ClusterXL errors.eth-s4p4c0 xx.. Providing your switching infrastructure supports multicast you should use this mode due to the performance overhead of broadcast communication. ' cphaprob list' showed the following output: # cphaprob list Registered Devices: Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK Time since last report: 213003 sec Device Name: Filter Registration number: 1 Timeout: none Current state: OK Time since last report: 213003 sec Device Name: cphad Registration number: 2 Timeout: 5 sec Current state: OK Time since last report: 0.xx eth-s1p1c0 xx. Unassign and re-assign license via SmartUpdate 6.xx.xx.xx.xx.xx.xx.xx eth-s1p2c0 xx. Re-establish SIC via CPConfig and SmartDashboard 5. 2. then delete them ensuring that the Connectra package is removed first. Re-install the Checkpoint R65 IPSO Wrapper 3.xx Both firewalls must be configured to use the same method of communication.xx. We had to perform a reboot of the second device once this was completed..5 sec 'fw ctl pstat' should also list the Synch as 'Able to Send/Receive sync packets' : # fw ctl pstat .). which can be changed using the following command 'cphaconf set_ccp multicast' or 'cphaconf set_ccp broadcast'. Set Checkpoint Packages as in-active.xx.xx.xx eth-s4p1c0 xx.xx.xx eth-s4p2c0 xx.7 sec Device Name: fwd Registration number: 3 Timeout: 5 sec Current state: OK Time since last report: 0.

217535 cached len. 0 alloc. 0 free. 0 chain free Connections: 54513276 total. dropped by net : 15 retrans reqs : 8840. -1525329462 get. -2128289516 operations. -1565092568 len. 0 bytes stack size. 0 failed alloc. 0 peak used. 17 other. received 3 acks retrans reqs for illegal seq : 0 dropped updates as a result of sync overload: 0 . 24286 peak concurrent Fragments: 213594 fragments. retransmitted : 16171. 0 failures NAT: 23444077/0 forw. 0 large.Machine Capacity Summary: Memory used: 14% (90MB out of 637MB) . 389 expired. 53234829 tcpudp. 29804768/0 bckw. 183665476 extract Cookies: -1649393933 total. 1183769860 free.27%) peak: 34170776 Total memory blocks used: 7126 unused: 41768 (85%) peak: 9164 Allocations: 1183931215 alloc. 0 failed alloc. 0 failed stack calls INSPECT: 1029526467 packets. 1183678473 free System kernel memory (smem) statistics: Total memory bytes used: 250335916 peak: 300842432 Blocking memory bytes used: 1865892 peak: 2596156 Non-Blocking memory bytes used: 248470024 peak: 298246276 Allocations: 160033475 alloc. 0 stacks. 160032829 free. 0 short.below low watermark Concurrent Connections: 26% (17876 out of 67900) . 702040-723136 alloc Sync: Version: new Status: Able to Send/Receive sync packets Sync packets sent: total : 78286072. 0 duplicates.below low watermark Aggressive Aging is in monitor only Hash kernel memory (hmem) statistics: Total memory allocated: 200278016 bytes in 48894 4KB blocks using 2 pools Initial memory allocated: 20971520 bytes (Hash memory extended by 179306496 bytes) Memory allocation limit: 536870912 bytes using 10 pools Total memory bytes used: 23487660 unused: 176790356 (88. 0 failed alloc. 14016 icmp. 0 failed free Kernel memory (kmem) statistics: Total memory bytes used: 73389696 peak: 101169940 Allocations: 1184023246 alloc. 373013811 lookups. 76506 ICMP. 105472 packets. 0 min stack bytes used. retrans reqs : 20. 0 failed free External Allocations: 0 for packets. 4607 dup. 138972711 put. were queued : 16591. 0 chain alloc. 2035 record. 17882 concurrent. 0 for SXL Kernel stacks: 0 bytes total. 1898998 UDP. 49485065 anticipated. 1 recovered. 52537755 TCP. 0 max stack bytes used. acks : 3 Sync packets received: total : 17030603.

delete SAs) vpn tu Display overlapping VPN Encryption Domains vpn overlap_encdom [communities|traditional] List current Firewall interfaces fw ctl iflist Show HA / ClusterXL state cpstat ha cphaprob state cphastop / cphastart Display State of Checkpoint HA Interfaces cphaprob -a if Stop/Start Checkpoint HA/ClusterXL cphastop / cphastart Display State of Checkpoint HA Interfaces cphaprob -a if Manually failover cphaprob -d STOP -s problem -t 0 register cphaprob list cphaprob -d STOP unregister Display State of ClusterXL IGMP cphaprob stat (Notify if IGMP membership is supported) cphaprob igmp (Display the current IGMP membership settings) .Check Point Firewall-1 Useful Firewall-1 command line utilities: Unload current security policy fw unloadlocal VPN Tunnel command line access (e.g.

2/24 config conn add name eth1 type eth onboot on iff-up on mtu 1500 master-bond bond0 config conn add name eth4 type eth onboot on iff-up on mtu 1500 master-bond bond0 Useful SecurePlatform command line utilities: Enter OS commands expert Assign interfaces to correct physical NICs (Edit /etc/sysconfig/ethtab) [Expert@FIREWALL]# cat ethtab eth0 00:21:5A:27:DC:E6 eth1 00:21:5A:27:DC:E4 eth2 00:1F:29:5C:82:F5 .1.0/24 via 192.0.1. Routes etc sysconfig Add static routes config route add dest 192.168.2/24 broadcast 192.1.1.SmartCenter Backup and Restore SmartCenter upgrade_export $FWDIR/bin/upgrade_tools/upgrade_import Check whether licensed for management high availability (Management HA) cplic check mgmtha SecurePlatform SecurePlatform configuration commands: Configure Interfaces.168.1 dev eth0 metric 0 s-persistant on apply on Configure Network Interfaces config conn help config conn set name eth1 type eth onboot on iff-up on local 192.255 s-persistant on s-code up mtu 1500 Configure Bonded Network Interfaces (NIC Team.168.168.168. 1 logical interface) config conn add name bond0 type bond onboot on iff-up on mtu 1500 bond-mode active-backup bond-miimon 100 bonddowndelay 200 bond-updelay 200 bond-primary eth1 local 192. 2 physical.

if Show status of Bonded Network Interfaces cphaconf show_bond -a Display Versions SPLAT: ver Firewall: fw ver Performance Pack: sim ver –k Linux: uname -a Change shell to permit WinSCP connection usermod -s /bin/bash fwadmin Change shell timout (cpshell) idle mm where mm = timeout in minutes (permanent change. updates /etc/cpshell/cpshell.Set Kernel parameters (Edit $FWDIR/boot/modules/fwkern.conf) fwha_mac_magic=0×11 fwha_mac_forward_magic=0×10 fwha_monitor_if_link_state=1 fwha_enable_igmp_snooping=1 fwha_igmp_version=2 Flag disconnected NICs echo eth6 >> $FWDIR/conf/discntd.state and is passed on to expert shell) Change shell timout (bash) TMOUT = ss where ss = timeout in minutes export TMOUT Display the number of CPUs presented to SecurePlatform OS grep ‘physical id’ /proc/cpuinfo|wc -l Display the CoreXL CPU Affinity fw ctl affinity -l Advanced Routing (gated) Commands .

ps -eaf | grep gated cpwd_admin list .