|Troubleshooting a Netscreen Site 2 Site VPN|
|Firewalls - Netscreen|
|Wednesday, 23 December 2009 16:47|
In this example we will run through various steps to troubleshoot a Site 2 Site VPN.
Confirm General Details
This will give us a general overview of our vpn.
netscreen(M)-> get vpn
Confirm Phase 1
To confirm whether IKE has been successful you can run the following command. You may find though that there is no IKE cookie but there is a Phase 2 Security Assicoation. This is due to the Phase 1 IKE lifetime being set to a value less then the IKE Phase 2 lifetime. You can find additional details here.
netscreen(M)-> get ike cookie | i [remote peer ip]
Confirm Phase 2
From the get sa command you can see the status and various details of the Security Assiociations. The section below which is highlighted in bold shows the status of the vpn tunnel (left) and the status of the VPN monitor (right). In this case the VPN tunnel is active and the VPN monitor is dashed out as it isnt enabled.
netscreen(M)-> get sa | i [peer ip]
Using the SA ID we can confirm additional details of the Phase 2 SA.
netscreen(M)-> get sa id 0x00000007
Running a Debug
Here we will run a debug so we can obtain a more verbose view of what is happening to our traffic.
netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint]
If the tunnel does not come up you can use the following debug:
netscreen(M)-> ike detail set sa-filter [IP]
In addition to check the Logs that the traffic is being passed you can check for Phase 1 and Phase 2 errors from the devices event logs.
netscreen(M)-> get event include [peer ip]
Rekey the VPN
- BigIP F5 LTM - Application Visibility and Reporting (aka Analytics)
- TCL - What is the difference between the eq and == operators ?
- Cisco ASA - How to Permit/Deny Traffic based on Domain Name (FQDN)
- How do I install g++ via Yum ?
- How do I install node.js in Centos ?
- Brocade ADX - The CSW Pseudo Stack
- Vyatta - How to Configure a Remote Access VPN
- Brocade ADX - How do I show the CPU usage for the MP (Management Processor) ?
- Vyatta - How do I configure NAT ?
- HTTP - What does 'Transfer-Encoding : Chunked' mean?
- Cisco ASA - SCP causes orphaned ssh_init processes
- F5 LTM (Deep Dive) - Using 'persist uie add' with the 'node' command in an iRule causes the F5 to send a RST
- VMware - vCetntre/vSphere shows virtual machine as 'Unknown VM' and inaccessible
- Brocade ADX - How to tune/configure the TCP stack
- Configuring a Hairpin VPN with Double NAT on a Cisco ASA running 8.0
- UNIX - What is a sticky bit ?
- Cisco ASA - Slow Memory Leak (CSCuh48577)
- F5 LTM - What is Auto Last Hop
- ADX - What is the order of priority for healthchecks ?
- Cisco ASA - ERROR: Capture doesn't support access-list containing mixed policies
- Check Point Commands
- Proxy ARP – SPLAT
- IPSO - Commands
- ASA 8.3 - Auto NAT Examples
- How to set the Time / Date and Timezone in CentOS
- vSphere - Creating User and Group Permissions
- Configuring Windows 2008 R2 as an NTP Server
- Juniper Netscreen Commands
- Configuring Wireless Connectivity within Backtrack 4 r2
- How do I install snmpwalk / snmpget using Yum ?
- Juniper Netscreen - NAT Explained
- VI shows the error Terminal too wide within Solaris
- PEMU - Free Cisco PIX Firewall Emulator / Simulator
- Troubleshooting a Netscreen Site 2 Site VPN
- Check Point Logging Troubleshooting Guide
- Check Point - How to Reset SIC
- How do I configure IPv6 in Windows XP ?
- Netscreen - NSRP
- Endpoint Connect Installation / Troubleshooting Guide
- Cisco ASA 8.3 - No NAT / NAT Exemption