|Troubleshooting a Netscreen Site 2 Site VPN|
|Firewalls - Netscreen|
|Wednesday, 23 December 2009 16:47|
In this example we will run through various steps to troubleshoot a Site 2 Site VPN.
Confirm General Details
This will give us a general overview of our vpn.
netscreen(M)-> get vpn
Confirm Phase 1
To confirm whether IKE has been successful you can run the following command. You may find though that there is no IKE cookie but there is a Phase 2 Security Assicoation. This is due to the Phase 1 IKE lifetime being set to a value less then the IKE Phase 2 lifetime. You can find additional details here.
netscreen(M)-> get ike cookie | i [remote peer ip]
Confirm Phase 2
From the get sa command you can see the status and various details of the Security Assiociations. The section below which is highlighted in bold shows the status of the vpn tunnel (left) and the status of the VPN monitor (right). In this case the VPN tunnel is active and the VPN monitor is dashed out as it isnt enabled.
netscreen(M)-> get sa | i [peer ip]
Using the SA ID we can confirm additional details of the Phase 2 SA.
netscreen(M)-> get sa id 0x00000007
Running a Debug
Here we will run a debug so we can obtain a more verbose view of what is happening to our traffic.
netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint]
If the tunnel does not come up you can use the following debug:
netscreen(M)-> ike detail set sa-filter [IP]
In addition to check the Logs that the traffic is being passed you can check for Phase 1 and Phase 2 errors from the devices event logs.
netscreen(M)-> get event include [peer ip]
Rekey the VPN
- Configuring a Hairpin VPN with Double NAT on a Cisco ASA running 8.0
- Brocade ADX - How to tune/configure the TCP stack
- Cisco ASA - Slow Memory Leak (CSCuh48577)
- UNIX - What is a sticky bit ?
- F5 LTM - What is Auto Last Hop
- Cisco ASA - ERROR: Capture doesn't support access-list containing mixed policies
- Cisco - How to configure an IKEv2 Site to Site IPSEC VPN ?
- ADX - What is the order of priority for healthchecks ?
- F5 LTM - How do you restrict management access to the GUI ?
- ASA - VPN Traffic is not being encrypted (CSCsd48512)
- Fir3net`s Recommended Open-Source Tools and Apps
- How do I make a white background transparent in GIMP ?
- VIM - How do I make the width of a single TAB only 4 spaces wide ?
- F5 LTM - iRule Variables
- F5 LTM - RAM Cache
- What is the Vary HTTP Header used for ?
- Cisco ASA 8.4/8.6 - Proxy ARP Gotcha
- How to install easy_install-2.7 and pip-2.7
- Why does my scp file transfer fail but no error message is shown ?
- How do I compile mod_wgsi for Python 2.7
- Check Point Commands
- Proxy ARP – SPLAT
- IPSO - Commands
- ASA 8.3 - Auto NAT Examples
- vSphere - Creating User and Group Permissions
- How to set the Time / Date and Timezone in CentOS
- Configuring Windows 2008 R2 as an NTP Server
- Juniper Netscreen Commands
- Configuring Wireless Connectivity within Backtrack 4 r2
- How do I install snmpwalk / snmpget using Yum ?
- Juniper Netscreen - NAT Explained
- PEMU - Free Cisco PIX Firewall Emulator / Simulator
- Troubleshooting a Netscreen Site 2 Site VPN
- VI shows the error Terminal too wide within Solaris
- Check Point Logging Troubleshooting Guide
- Netscreen - NSRP
- Check Point - How to Reset SIC
- How do I configure IPv6 in Windows XP ?
- Endpoint Connect Installation / Troubleshooting Guide
- Netscreen - Rekeying a VPN / Clearing the SA`s