Professional Documents
Culture Documents
VPN Troubleshooting For Checkpoint
VPN Troubleshooting For Checkpoint
REFFER: http://www.cpug.org/forums/vpns-virtual-private-networks/4764-vpntrouble-shooting.html
Basics:
IKE negotiation consists of two phases - Phase I (Main mode which is six packets) and
Phase II (Quick Mode which is three packets).
The
To enable debugging, you need to login to your firewall and enter the command "vpn debug on
Check Point have a tool called
IKEView.exe which parses the information of ike.elg into a GUI making this easier to view.
Note that another useful tool is "vpn debug on mon" which writes all of the IKE captured data into a file ikemonitor.snoop which you can open with wireshark or ethereal.
PHASE1:
negotiates encryption methods (DES/3DES/AES etc), the key length, the hash Algorithm (MD5/SHA1) and
creates a key to protect the messages of the exchange .
It does this in 5 stages:
1. Peers Authenticate using Certificates or a pre-shared secret.
2. Each peer generates a private Diffie-Hellman key from random bits and from that derives a DH public key. These are then exchanged.
3. Each peer generates a shared secret from its private key and its peers public key, this is the DH key.
4. The peers exchange DH Key material (random bits and mathematical data) and methods for PhaseII are agreed for encryption and integrity.
5. Each side generates a symmetric key (based upon the DH key and key material exchanged).
>MM Packet 1
>Security Association
>Prop1 PROTO_ISAKMP
>Tran1 KEY_IKE
proposed Encryption Algorithm, Key Length, Hash Algorithm, Authentication Method, DH Group, and SA
renegotiation params (life type - usually secs and duration).
You should then be able see the
If your
encryption fails in Main Mode Packet 1, then you need to check your VPN communities.
Packet 2 ( MM Packet 2 in the trace ) is from the responder to agree on one encryption and hash algorithm
Packets 3 and 4 arent usually used when troublshooting. They perform key exchanges and include a large number called a NONCE. The NONCE is a set of never before used random numbers
sent to the other part, signed and returned to prove the parties identity.
Packets 5 and 6 perform the authentication between the peers. The peers IP address shows in the ID field under MM packet 5. Packet 6 shows that the peer has agreed to the proposal and has
authorised the host initiating the key exchange.
If your encryption fails in Main Mode Packet 5, then you need to check the authentication - Certificates or preshared secrets
Phase II
IPSec Security Associations (SAs) are negotiated, the shared secret key material used for the SA is determined and there is an
additional DH exchange.
Phase II failures are generally due to a misconfigured VPN domain.
1. Peers exchange key material and agree encryption and integrity methods for IPSec.
2. The DH key is combined with the key material to produce the symmetrical IPSec key.
Mode packet 1:
> QM Packet 1
You should be able to see the SA life Type, Duration, Authentication Alg,
If your encryption fails here, it is one of the above Phase II settings that needs to be looked at.
> QM Packet 1
> ID
You should be able to see the initiators
VPN Domain configuration including the type (ID_IPV4_ADDR_SUBNET) and data (ID Data field).
Under the second ID field you should be able to see the peers VPN Domain configuration.
Packet 2 from the responder agrees to its own subnet or host ID, encryption and hash algorithm.
Packet 3 completes the IKE negotiation.
If all of this works without any errors, then you may have previously initiated an invalid tunnel previously. You can use the
A.
VPN tunnel utility "vpn tu" to remove SA keys from the table.
If there is any additional information regarding two other frequent problems one way only traffic and tunnel disconnections ?
One way only traffic is generally the result of one peer not having correctly established a security association.
Most frequently this is due to the way in which Check Point combines adjacent IP address networks together into supernets. ie, if you have 192.168.0.0/24 and 192.168.1.0/24, Check Point will supernet this into
192.168.0.0/23.
This is done to reduce the number of keys required and hence reduce the load on the VPN gateway. However, other VPN devices do not follow this methodology, so depending upon the version of VPN-1 you are
using, you may need to set IKE_use_largest_possible_subnets or correctly configure the VPN communities tunnel management (one vpn per pair of hosts, per subnet pair or per gateway). See
SecureKnowledgebase article Solution ID: #sk26336.
Tunnel disconnections can be caused either a physical connectivity problem or routing problems or once again, a mismatch in the VPN security associations. Be particularly careful with VPNs to Cisco in this regards.
Plenty of times I've seen people confused between seconds and minutes! I've also seen that sometimes the Cisco ends of VPNs dont want to reset the SAs when told to by the Check Point end.
B. If there is any information regarding ike.elg + vpn.elg explanation. I familiar with the ike/ipsec processes but those 2 files are still no easy to understand (I know there is a tool called ikeview but I dont work for
organization considered as CSP so its seems like Ill never put my hands on this tool) ?
From my answer above, you can see that my statement about "Most VPN debugging consists of looking at the IKE negotiation" to be true. And it is most unlikely that you will need to look into the vpnd.elg file. With
respect to obtaining ikeview.exe.
IMPORTANT PATHS:
1.Where are database revision control files stored?
$FWDIR/conf/db_versions/repository/
FLOW-LOOKUP- This will check for existing connections. I a connection exists, the flow is automatically allowed
2. ROUTE-LOOKUP - This is the inbound route lookup which includes reverse patch, if enabled.
3. Inbound ACCESS-LIST- Checks for an interface ACL
4. CONN-SETTINGS - Application layer checks (Class maps)
5. IP-OPTIONS- RFC 791
6. NAT
7. Outbound ACCESS-LIST (if an outbound access list exists on the egress interface).
9.FLOW-CREATION
10.ROUTE LOOKUP - Destination route lookup
How to immediately know if you are logged into the active or standby firewal on ASA
The prompt (introduced in 7.2(1)) command allows you to customize the hostname of the ASA to include dynamic elements.
prompt state will display the state of the firewall.
for example:
lab-dev-01# config t
lab-dev-01 (config)# prompt state
lab-dev-01/act(config)#
#conf t
(config)# management-access inside
Cluster cannot be empty" or "only one interface defined" error on Checkpoint R70 and R71
Checkpoint has confirmed that this is a bug that occurs occasionally when pushing policy to clusters.
Example:
Firewall and Address Translation Policy Verification: Verifier warnings: There is only one interface defined for object . At least one more interface must be
configured for this object in order to use the Anti-Spoofing feature.
or
"Verifier warnings: A Cluster cannot be empty. It must have Cluster members"
To resolve the issue, open the cluster object for the gateway that you are pushing policy for,
and go into the Topology. Click OK, then OK on the Cluster object and Save. The error should go away.
ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1
interface(s) with nameif already configured.
This error will occur during the configuration of a ne wVLAN on an ASA 5505.
This error occurs because there is only a Base license installed on the ASA. The license will need to be upgraded to a Security Plus license.
A base license will only allow 3 VLANS to be created.
20:
20:
20:
20:
vrid
vrid
vrid
vrid
100
100
100
100
pri
pri
pri
pri
If both firewalls are broadcasting vrrp, and the packets are not seen by the other firewall, there could be a communication problem between the firewalls.
Also ensure that the vrid matches on both firewalls.
Proper VRRP failovers usually only cause 1 or 2 packets lost .
VRRP multicast address is 224.0.0.18
To capture vrrp traffic in fw monitor:
fw monitor -e accept ip_p = 112;
Clish
show vrrp
This will show you which devices are in master and backup
Example:
PrimaryFW-A> sh vrrp
VRRP State
Flags: On
6 interface enabled
6 virtual routers configured
0 in Init state
0 in Backup state
6 in Master state
PrimaryFW-A>
PrimaryFW-A> exit
Bye.
PrimaryFW-A[admin]#
SecondaryFW-B[admin]# iclid
SecondaryFW-B> sh vrrp
VRRP State
Flags: On
6 interface enabled
6 virtual routers configured
0 in Init state
4 in Backup state
2 in Master state
SecondaryFW-B>
SecondaryFW-B> exit
TCP 256: CA and DH key exchange, net topology fetch on older SC versions, and port used to push policy to remote firewalls.
TCP 18191: CPD process for communications such as policy installation and certificate revocation.
Troubleshooting VRRP
Check the status of the interfaces
In this example, both firewalls believe that they are in a master state.
FW-1[admin]# iclid
FW-1> sh vrrp
VRRP State
Flags: On
6 interface enabled
6 virtual routers configured
0 in Init state
0 in Backup state
6 in Master state
FW-1>
FW-1> exit
FW-2[admin]# iclid
FW-2> sh vrrp
VRRP State
Flags: On
6 interface enabled
6 virtual routers configured
0 in Init state
4 in Backup state
2 in Master state
A TCPDUMP can confirm that VRRP packets are reaching each interface.
On the Primary:
FW-1[admin]# tcpdump -i eth-s4p2c0 proto vrrp
tcpdump: listening on eth-s4p2c0
00:46:11.374424 O 192.168.10.1 > 224.0.0.18: VRRPv2-adver 20: vrid 102 pri 100 [tos 0xc0]
00:46:12.344334 O 192.168.10.1 > 224.0.0.18: VRRPv2-adver 20: vrid 102 pri 100 [tos 0xc0]
Secondary:
FW-1[admin]# tcpdump -i eth-s4p2c0 proto vrrp
tcpdump: listening on eth-s4p2c0
00:19:38.533454 O 192.168.10.2 > 224.0.0.18: VRRPv2-adver 20: vrid 102 pri 95 [tos 0xc0]
00:19:39.544322 O 192.168.10.2 > 224.0.0.18: VRRPv2-adver 20: vrid 102 pri 95 [tos 0xc0]
Now you can see that the interface on both the primary and the secondary firewalls are broadcasting vrrp multicasts. This is because the vrrp multicasts
are not reaching the firewalls interfaces. This means there is a communication breakdown which can be possibly caused by network issues.
In another example you will see that the VRIDS dont match
FW-1[admin]# tcpdump -i eth-s4p2c0 proto vrrp
00:46:11.206994 I 10.10.10.1 > 224.0.0.18: VRRPv2-adver 20: vrid 103 pri 95 [tos 0xc0]
00:46:11.379961 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 102 pri 100 [tos 0xc0]
FW-1[admin]# tcpdump -i eth-s4p2c0 proto vrrp
00:19:38.507294 O 192.168.1.2 > 224.0.0.18: VRRPv2-adver 20: vrid 102 pri 95 [tos 0xc0]
00:19:38.630075 I 10.10.10.2 > 224.0.0.18: VRRPv2-adver 20: vrid 103 pri 100 [tos 0xc0]
vrrp
vrrp
vrrp
vrrp
vrrp
vrrp
vrrp
vrrp
interface
interface
interface
interface
interface
interface
interface
interface
eth1c0
eth1c0
eth1c0
eth1c0
eth1c0
eth1c0
eth1c0
eth1c0
monitored-circuit
monitored-circuit
monitored-circuit
monitored-circuit
monitored-circuit
monitored-circuit
monitored-circuit
monitored-circuit
vrid
vrid
vrid
vrid
vrid
vrid
vrid
vrid
54
54
54
54
54
54
54
54
monitored-interface eth2c0 on
monitored-interface eth2c0 priority-delta 10
monitored-interface eth3c0 on
monitored-interface eth3c0 priority-delta 10
priority 100
hello-interval 1
vmac-mode default-vmac
backup-address 192.168.29.1 on
A transform set combines encryption method and authentication method. During the IPSec security association negotiation with ISAKMP, the peers agree
to use a particular transform set to protect a particular data flow. The transform set must be the same for both peers.
You can create multiple transform sets, and then specify one or more of these transform sets in a crypto map entry.
You can view previously created transform sets by typing the show crypto ipsec transform-set command. If the desired transform set has not been
previously defined, the crypto ipsec transform-set command is used to create it.
Example:
#(config)crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
An access-list is used to define the interesting traffic or the traffic that should be encrypted and allowed through the VPN Tunnel. The access-list should
always be defined from local to remote. The subnet sizes need to match on the remote gateway.
Example:
#(config) access-list tunnel1 extended permit ip y.y..191.0 255.255.255.0 host y.y..155.12
If port filtering is being used, and traffic is being initiated from the remote side, the destination port of the remote host must be the source port of the
local matching acl.
A tunnel group is used to identify specific connection parameters and the definition of a group policy. The default tunnel groups are DefaultRAGroup (used
for Remote Access tunnels) and DefaultL2Lgroup(used for IPSEc Lan-to-Lan tunnels).
Example:
#(config)tunnel-group y.y.155.1 type IPsec_l2l
#(config)tunnel-group y.y.155.1 ipsec-attributes
#(config-attributes) pre-shared-key abc123
The crypto map ties together several components that define the VPN tunnel. This is where the peer defined in the tunnel-group command is tied to the
access-list and transform-set. The crypto map must be assigned a unique map id #. To view the previously used crypto map id numbers run the show ru
crypto command.
Example:
#(config)crypto map mymap 10 match address tunnel1
#(config)crypto map mymap 10 set peer y.y,155.1
#(config)crypto map mymap 10 set transform-set 3desmd5
Nat considerations:
If a local address is going to be natted outbound, the crypto acl should use the outside ip address.
Troubleshooting Phase II:
Check syslogs
Show crypto ipsec sa- This command shows the output of the IPSEC SAs. The SA will include the ip address of the local and remote endpoints, encryption
domains (interesting traffic), transform set (what encryption and hash is being used), key lifetime, and # of packet encrypt/decrypts.
debug crypto engineDisplays the traffic that is encrypted.
Example of an IPSEC SA:
This shows the crypto map used for this connection.
Crypto map tag: vpn_map, seq num: 130, local addr: x.x.160.45
The following line shows the crypto acl that includes the traffic to be protected.
access-list VPN-CIDS704976 permit ip x.x.190.0 255.255.254.0 host 10.2 5.4.80
local ident (addr/mask/prot/port): (x.x.190.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (10.25.4.80/255.255.255.255/0/0)
current_peer: y.y.227.136
Encrypts indicate that this side is encrypting and sending traffic. Decrypts indicates that the other side is sending traffic.
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
This lists the local and remote endpoints.
local crypto endpt.: x.x.160.45, remote crypto endpt.: y.y.227.136
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 2AFEA5C7
There is a separate sa for inbound and outbound.
inbound esp sas:
spi: 0x9D111D2A (2635144490)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 317225, crypto-map: vpn_map
sa timing: remaining key lifetime (kB/sec): (4275000/28789)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x2AFEA5C7 (721331655)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 317225, crypto-map: vpn_map
sa timing: remaining key lifetime (kB/sec): (4274999/28789)
IV size: 16 bytes
replay detection support: Y
Clear crypto ipsec sa peer will clear the Phase 2 SAs for a given peer.
debug crypto ipsecDisplays the IPSec negotiations of phase 2.
No Valid SA/ Identity mismatch Transform set or crypto acl
Sample Debug output:
The following shows that the tunnel group configuration was found.
Oct 26 15:42:43 [IKEv1]: IP =y.y.205.92, Connection landed on tunnel_group y.y,.205.92
Sample syslog errors:
This shows interesting traffic ACL getting exchanged.
1754 11/29/2001 16:20:18.500 SEV=7 IKEDBG/0 RPT=546 y.y.205.92
Transmitting Proxy Id:
Remote host: 192.168.1.1 Protocol 0 Port 0
Local host: 10.64.10.9 Protocol 0 Port 0
Completion of Phase II.
1949 11/29/2001 16:20:18.540 SEV=4 IKE/49 RPT=3 y.y.205.92
Security negotiation complete
Responder, Inbound SPI = 0x11a56495, Outbound SPI = 0xb17718a5
Mar 10 2008 18:47:05: %PIX-5-713120: Group = y.y.41.250, IP = y.y.41.250, PHASE 2 COMPLETED (msgid=0f78e513)
Pre-shared key mismatch.
1754 11/29/2001 16:20:18.500 Group = 172.16.172.63, IP = 172.16.172.63, Received an un-encrypted PAYLOAD_MALFORMED notify message,
dropping.
Pre-shared key mismatch reported by the report peer(receiving peer):
:713903: Group = 172.1.12.1, IP = 172.1.12.1 ERROR. peer has indicated that something is wrong with our message. This could indicate a pre-shared
key mismatch.
Transform-set mismatch.
1754 11/29/2001 16:20:18.500 Group = 172.16.172.63, IP = 172.16.172.63, Received non-routine Notify message: No Proposal Chosen
Transform-set mismatch on remote peer(receiving peer):
713904 IP = 10.51.16.1, Received encrypted packet with no matching SA, dropping
713048: IP = 10.51.16.1 Error processing payload. Payload ID 1
The following indicates that the remote gateway is not finding matching interesting traffic.
1754 11/29/2001 16:20:18.500 Group = y.y.172.63, IP = y.y.172.63, Received non-routing Notify message: Invalid ID info (18)
The following indicates that the local gateway is not finding matching interesting traffic.
1754 11/29/2001 16:20:18.500 Group =y.y.172.63, IP = y.y.172.63, Static Crypto Map check, map = mymap, seq = 10, ACL does not match proxy IDs
src:192.168.1.0 dst:192.168.2.0
PFS mismatch:
713068: Group 172.1.12.1, Received non-rouing Notify message; No Proposal chosen (14)
PFS turned on on the remote peer. Local peer reports the following:
713902; Group = 10.51.16.1. QM FSM error (p2 struct &0x296fde8, mess id 0x518e80d)!
QM FSM is a generic message indicating that the phase II connection was rejected by the remote peer.
This indicated that the remote peer is natting:
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x72DEC2AA, sequence number= 0x41) from y.y.28.178 (user= y.y.28.178) to y.y.83.194. The
decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as y.y.83.194, its source as y.y.28.178, and
its protocol as 1. The SA specifies its local proxy as y.y.10.16/255.255.255.240/0/0 and its remote_proxy as y.y.63.0/255.255.255.0/0/0.
Useful tables:
host_table
This host_table holds the IP addresses of internal machines protected by the VPN-1/FireWall-1 NG Enforcement Module. The table only exists where the
VPN-1/FireWall-1 license is limited. The maximum number of entries in this table is the licensed number of internal machines.
arp_table
The arp_table holds the IP addresses for which the machine is willing to proxy ARP. Proxy ARP is sometimes required when using NAT. If IP addresses
that the machine is to resolve are specified in local.arp , this table can be used to check that the IP addresses were correctly specified. The automatic
ARP feature also uses this table to cause the machine to resolve translated IP addresses.
Entry format:
<!--[if !supportLists]-->2. <!--[endif]-->MAC address of gateway machine interface that will answer ARP requests for the IP address.
<!--[if !supportLists]-->4. <!--[endif]-->Name of the gateway interface that will proxy ARP for IP addresses.
First entry: < 0, hiding IP address, IP protocol, first high port used; next high port to be allocated>
The first field is a space holder and is always 0. The first high port to be used is always 10000.
fwx_alloc
The fwx_alloc table holds information about the allocation of ports for the translated packets.
fwx_cntl_dyn_tab
The fwx_cntl_dyn_tab table holds information about the allocated IP addresses from the IP Pool of the Enforcement Module, and the connections using
the IP addresses.
EXAMPLE
attributes: keep, expires never, limit 25000,
hashsize 512, free function 40550248 0
<0a010104,>
00000001, 00000e10, 000000c3>
fwx_auth
The fwx_auth table holds the original information of a folded connection, so that the Security Server will know the original destination IP and port of the
connection.
EXAMPLE
attributes: expires 300, limit 25000, refresh, keep
EXAMPLE
-------- sam_blocked_ips --------dynamic, id 8141, attributes: keep, limit 25000, hashsize 512 <05050505;> 00000000, 00000000,
00000000>
host_ip_addrs
The host_ip_addrs table contains the list of IP addresses in the VPN-1/FireWall-1 NG Enforcement Module.
fwx_ip_lookup_tab
The fwx_ip_lookup_tab table holds information used for IP Pool allocation queries.
EXAMPLE
attributes: keep, limit 25000, hashsize 512
fwz_crypt_pending
The fwz_crypt_pending table is used to record a possibly encrypted connection that should obtain their encryption/decryption key. This table is accessed
from the VPN kernel, and the VPN daemon. The kernel can obtain a new key from this table stored by the daemon, which negotiated the key exchange
with a trusted peer. This table also passes error messages. The fwz_crypt_pending table is dynamic.
forbidden_tab
Each embedded VPN-1/FireWall-1 system has a feature that indicates how many hosts can be located behind it. The number of hosts can be set to
unlimited. This limitation is enforced in the Inspect code using the macro COUNT_HOST .
COUNT_HOST records each packet that comes from the internal interface in a table until the limit is exceeded
IKE_SA_table
IKE SAs are stored in IKE_SA_table . The table entries have four possible formats:
<!--[if !supportLists]--> <!--[endif]-->The top two formats are only used on SecuRemote.
<!--[if !supportLists]--> <!--[endif]-->Format 1 is used to store and retrieve the latest IKE SA.
<!--[if !supportLists]--> <!--[endif]-->Table entries are used to conduct IKE Quick Mode negotiation of IPSEC_SA .
<!--[if !supportLists]--> <!--[endif]-->Entries are extracted from this table when the vpn daemon is trapped for IPSEC_SA renewal. IKE daemon
tries to use previously negotiated IKE SA.
ATTRIBUTES
expires
3600
limit
25000
sync
keep
hashsize
512
kbuf
KEYS
PeerAddress ipaddr
Me
ipaddr
on SecuRemote it is the IP address used by SecuRemote when it negotiated this IKE SA; field is used to prevent using an old
IKE SA negotiated before SecuRemote obtained a new IP address; if initiator or responder
CookieI
u_long
[2]
CookieR
u_long
[2]
VALUES
IKE_SA
Flags
uint currently only 2 flags are defined: (PEER_MOBILE, INITIATOR); used so Enforcement Module does not need to retrieve the
whole kbuf from the kernel if we only want to know if this SA was established with a mobile user
EXAMPLE
-------- IKE_SA_table -------dynamic, id 77, attributes: keep, sync, expires 3600,
limit 25000, hashsize 512, kbuf 1, free function
Cisco Anyconnect sample config
config t
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
! this is a customerized vpn profile, if client does not needed, you can remove the following line using cisco default
! svc profiles VitalProf disk0:/vpn-vig-tdc.xml
tunnel-group-list enable
enable outside
svc enable
exit
ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0
access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpnssl-split extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list NONAT
username userA password test123
username userA attributes
service-type remote-access
exit
username userB password test12345
username userB attributes
service-type remote-access
exit
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.1.51 192.168.1.61
wins-server value 192.168.1.51 192.168.1.61
address-pools value SSLClientPool
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnssl-split
webvpn
vpn-tunnel-protocol svc
svc keep-installer installed
crypto
crypto
crypto
crypto
condition
condition
condition
condition
user
unmatched isakmp
error ipsec
error isakmp
http://www.netleets.com/search/label/tcpdump
There is an issue with FWD on the gateway. In some instances you may need to restart FWD via a cpstart. Though the
root cause could be down to a number of factors.
Why are the logs not being displayed within SmartView tracker ?
Ok so the manager is receiving the logs but you may still not see them within the
SmartView tracker this will be down to either the FWD (Firewall Daemon) or the log
files being corrupted.
Log Files Corrupted
If the log files are corrupted you should expect to see no logs within the SmartView
Tracker. If this is the case you will need to action the following steps :
1. Close the Log Viewer/SmartView Tracker and Policy Editor/SmartDashboard.
2. Execute the fwstop or cpstop command (depending on the version) from the
command line.
3. Remove all files starting with fw.log and fw.logptr from the $FWDIR\log
directory.
4. Execute the fwstart or cpstart (depending on the version) command.
Full details can be found at Check Points KB within Solution ID sk6432.
Only some of the logs are not being displayed
If only some of the logs are not being displayed then this could point to an issue with the trust between
the manager and the gateway.
To confirm the issue you will need to debug FWD using the following steps.
root@cp-mgnt# fw debug fwd on TDERROR_ALL_ALL=5
root@cp-mgnt# tail -f $FWDIR/log/fwd.elg
root@cp-mgnt# tail -f $FWDIR/log/fwd.elg | grep -i "Certificate is revoked"
root@cp-mgnt# fw debug fwd off
Within these steps we first enable the debug. Then we run a live tail on the log file. And then we run a
grep on the live tail for a specific error. The live tail allows us to view the end of the log file in real time.
We finally turn off the debug.
Below shows an example of an error with the SIC trust between the Gateway and Manager obtained
from the $FWDIR/log/fwd.elg,
[FWD 2177 1]@cp-mgnt[22 Jan 14:47:32] fwCert_ValCerts: Certificate is revoked. CN=cp-fw1,O=cp-mgnt..bizt7z
[FWD 2177 1]@cp-mgnt[22 Jan 14:47:41] fwCert_ValCerts: Certificate is revoked. CN=cp-fw2,O=cp-mgnt..bizt7z
In this instance resetting SIC would resolve this issue
On digging deeper we noticed that one of the firewall devices was configured to use multicast and one for broadcast cluster
communications, this was identified using the following command 'cphaprob -a if' which presents the following output:
eth-s1p3c0 non sync(non secured)
eth-s4p3c0 non sync(non secured)
eth-s4p4c0 non sync(non secured)
eth-s1p1c0 non sync(non secured)
eth-s1p4c0 sync(secured), multicast
eth-s1p2c0 non sync(non secured)
eth-s4p1c0 non sync(non secured)
eth-s4p2c0 non sync(non secured)
Virtual cluster interfaces: 7
eth-s1p3c0 xx.xx.xx.xx
eth-s4p3c0 xx.xx.xx.xx
eth-s4p4c0 xx.xx.xx.xx
eth-s1p1c0 xx.xx.xx.xx
eth-s1p2c0 xx.xx.xx.xx
eth-s4p1c0 xx.xx.xx.xx
eth-s4p2c0 xx.xx.xx.xx
Both firewalls must be configured to use the same method of communication, which can be
changed using the following command 'cphaconf set_ccp multicast' or 'cphaconf set_ccp
broadcast'. Providing your switching infrastructure supports multicast you should use this mode
due to the performance overhead of broadcast communication. This command failed to change
the method of communication and left us with no other option than to perform the following
steps:
1
Set Checkpoint Packages as in-active, then delete them ensuring that the Connectra package is removed first.
Re-install HFA 70
After performing thse steps the cluster CCP was back to multicast (bizare really...). We had to perform a reboot of the second
device once this was completed, at which point both nodes of the cluster reported no ClusterXL errors, 'cphaprob list' showed
the following output:
# cphaprob list
Registered Devices:
Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 213003 sec
Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 213003 sec
Device Name: cphad
Registration number: 2
Timeout: 5 sec
Current state: OK
Time since last report: 0.7 sec
Device Name: fwd
Registration number: 3
Timeout: 5 sec
Current state: OK
Time since last report: 0.5 sec
'fw ctl pstat' should also list the Synch as 'Able to Send/Receive sync packets' :
# fw ctl pstat
Machine Capacity Summary:
Memory used: 14% (90MB out of 637MB) - below low watermark
Concurrent Connections: 26% (17876 out of 67900) - below low watermark
Aggressive Aging is in monitor only
Hash kernel memory (hmem) statistics:
Total memory allocated: 200278016 bytes in 48894 4KB blocks using 2 pools
Initial memory allocated: 20971520 bytes (Hash memory extended by 179306496 bytes)
Memory allocation limit: 536870912 bytes using 10 pools
Total memory bytes used: 23487660 unused: 176790356 (88.27%) peak: 34170776
Total memory blocks used: 7126 unused: 41768 (85%) peak: 9164
Allocations: 1183931215 alloc, 0 failed alloc, 1183678473 free
System kernel memory (smem) statistics:
Total memory bytes used: 250335916 peak: 300842432
Blocking memory bytes used: 1865892 peak: 2596156
Non-Blocking memory bytes used: 248470024 peak: 298246276
Allocations: 160033475 alloc, 0 failed alloc, 160032829 free, 0 failed free
Kernel memory (kmem) statistics:
Total memory bytes used: 73389696 peak: 101169940
Allocations: 1184023246 alloc, 0 failed alloc, 1183769860 free, 0 failed free
External Allocations: 0 for packets, 0 for SXL
Kernel stacks:
0 bytes total, 0 bytes stack size, 0 stacks,
0 peak used, 0 max stack bytes used, 0 min stack bytes used,
0 failed stack calls
INSPECT:
1029526467 packets, -2128289516 operations, 373013811 lookups,
2035 record, 183665476 extract
Cookies:
-1649393933 total, 0 alloc, 0 free,
4607 dup, -1525329462 get, 138972711 put,
-1565092568 len, 217535 cached len, 0 chain alloc,
0 chain free
Connections:
54513276 total, 52537755 TCP, 1898998 UDP, 76506 ICMP,
cphaprob -a if
Manually failover
cphaprob -d STOP -s problem -t 0 register
cphaprob list
cphaprob -d STOP unregister
Display State of ClusterXL IGMP
cphaprob stat (Notify if IGMP membership is supported)
cphaprob igmp (Display the current IGMP membership settings)
SmartCenter
Backup and Restore SmartCenter
upgrade_export
$FWDIR/bin/upgrade_tools/upgrade_import
Check whether licensed for management high availability (Management HA)
cplic check mgmtha
SecurePlatform
SecurePlatform configuration commands:
Configure Interfaces, Routes etc
sysconfig
Add static routes
config route add dest 192.168.1.0/24 via 192.168.0.1 dev eth0 metric 0 s-persistant on
apply on
Configure Network Interfaces
config conn help
config conn set name eth1 type eth onboot on iff-up on local 192.168.1.2/24 broadcast
192.168.1.255 s-persistant on s-code up mtu 1500
Configure Bonded Network Interfaces (NIC Team, 2 physical, 1 logical interface)
config conn add name bond0 type bond onboot on iff-up on mtu 1500 bond-mode activebackup bond-miimon 100 bond-downdelay 200 bond-updelay 200 bond-primary eth1 local
192.168.1.2/24
config conn add name eth1 type eth onboot on iff-up on mtu 1500 master-bond bond0
config conn add name eth4 type eth onboot on iff-up on mtu 1500 master-bond bond0