|Troubleshooting a Netscreen Site 2 Site VPN|
|Firewalls - Netscreen|
|Wednesday, 23 December 2009 16:47|
In this example we will run through various steps to troubleshoot a Site 2 Site VPN.
Confirm General Details
This will give us a general overview of our vpn.
netscreen(M)-> get vpn
Confirm Phase 1
To confirm whether IKE has been successful you can run the following command. You may find though that there is no IKE cookie but there is a Phase 2 Security Assicoation. This is due to the Phase 1 IKE lifetime being set to a value less then the IKE Phase 2 lifetime. You can find additional details here.
netscreen(M)-> get ike cookie | i [remote peer ip]
Confirm Phase 2
From the get sa command you can see the status and various details of the Security Assiociations. The section below which is highlighted in bold shows the status of the vpn tunnel (left) and the status of the VPN monitor (right). In this case the VPN tunnel is active and the VPN monitor is dashed out as it isnt enabled.
netscreen(M)-> get sa | i [peer ip]
Using the SA ID we can confirm additional details of the Phase 2 SA.
netscreen(M)-> get sa id 0x00000007
Running a Debug
Here we will run a debug so we can obtain a more verbose view of what is happening to our traffic.
netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint]
If the tunnel does not come up you can use the following debug:
netscreen(M)-> ike detail set sa-filter [IP]
In addition to check the Logs that the traffic is being passed you can check for Phase 1 and Phase 2 errors from the devices event logs.
netscreen(M)-> get event include [peer ip]
Rekey the VPN
- How to configure a Cisco ASA Site to Site VPN between Static and Dynamic IP based Peers ?
- Django - How do I create a custom login page ?
- How do I connect to a serial device using a USB-to-Serial Convertor in Linux ?
- Incapsula (Review) - How to Protect and Secure your website in 10 minutes
- Window doesn't show when using Cisco VPN Client 5.x / Windows 7
- How to Fix Unreadable Directory Listings within Shell
- Python - List Comprehensions
- Python - What does 'if __name__ == "__main__"' mean ?
- Python - Decorators
- BIGIP F5 LTM - Action on Service Down
- Brocade ADX - How do I bind multiple ports to a single healthcheck ?
- MySQL - How to reset a forgotten Root password
- Django - How can I pass a string from a URL to a view ?
- Vyatta - Unable to log into GUI : "Username or password is incorrect"
- Cisco ASA - How do VPN Filters work ?
- How do I use AJAX along side Django ?
- Outlook 2010 - The 'Delete Conversation' Shortcut
- How do I import a python module from another folder ?
- How do I configure Django to serve my Robots.txt file ?
- Brocade ADX - The Dynamic Weighted Predictor
- Proxy ARP – SPLAT
- Check Point Commands
- IPSO - Commands
- ASA 8.3 - Auto NAT Examples
- vSphere - Creating User and Group Permissions
- How to set the Time / Date and Timezone in CentOS
- Configuring Windows 2008 R2 as an NTP Server
- Juniper Netscreen Commands
- Configuring Wireless Connectivity within Backtrack 4 r2
- PEMU - Free Cisco PIX Firewall Emulator / Simulator
- Juniper Netscreen - NAT Explained
- How do I install snmpwalk / snmpget using Yum ?
- Troubleshooting a Netscreen Site 2 Site VPN
- Netscreen - NSRP
- Check Point Logging Troubleshooting Guide
- How do I configure IPv6 in Windows XP ?
- Check Point - How to Reset SIC
- VI shows the error Terminal too wide within Solaris
- Endpoint Connect Installation / Troubleshooting Guide
- ESX Convertor - The session is not authenticated