Troubleshooting a Netscreen Site 2 Site VPN

In this example we will run through various steps to troubleshoot a Site 2 Site VPN.

Confirm General Details

This will give us a general overview of our vpn.

netscreen(M)-> get vpn
Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ------- ----------
sitea_vpn   sitea       tunl Yes   g2-esp-3des-sha      off           0 eth5
siteb_vpn   siteb       tunl Yes   g2-esp-3des-sha      off           2 eth5
sitec_vpn   sitec       tunl Yes   g2-esp-3des-sha      off           0 eth5
sited_vpn   sited       tunl Yes   g2-esp-3des-sha      off           0 eth5

Confirm Phase 1

To confirm whether IKE has been successful you can run the following command. You may find though that there is no IKE cookie but there is a Phase 2 Security Assicoation. This is due to the Phase 1 IKE lifetime being set to a value less then the IKE Phase 2 lifetime. You can find additional details here.

netscreen(M)-> get ike cookie | i [remote peer ip]
80522f/0003, [local peer]:500->[remote peer]:500, PRESHR/grp2/AES256/SHA, xchg(5) (Example/grp-

Confirm Phase 2

From the get sa command you can see the status and various details of the Security Assiociations. The section below which is highlighted in bold shows the status of the vpn tunnel (left) and the status of the VPN monitor (right). In this case the VPN tunnel is active and the VPN monitor is dashed out as it isnt enabled.

netscreen(M)-> get sa | i [peer ip]
00000007<       [peer ip]  500 esp:3des/md5  zbcA14zz  3317 unlim A/-    22 0
00000007>       [peer ip]  500 esp:3des/md5  fbcb64ee  3317 unlim A/-    -1 0

Using the SA ID we can confirm additional details of the Phase 2 SA.

netscreen(M)-> get sa id 0x00000007
index 49, name Example, peer gateway ip [remote peer]. vsys<Root>
auto key. policy node, tunnel mode, policy id in:<10104> out:<10103> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 662, peer id 52, NSRP Active. Vsd 0   site-to-site. Local interface is ethernet5 
<[local peer]>.
  esp, group 0, a256 encryption, sha1 authentication
  autokey, IN active, OUT active
  monitor<0>, latency: 0, availability: 0
  DF bit: clear
  app_sa_flags: 0x2067
  proxy id: local, remote, proto 0, port 0
  ike activity timestamp: 590051543
nat-traversal map not available
incoming: SPI 9j32882e, flag 00004000, tunnel info 40000296, pipeline
  life 86400 sec, 19761 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0xb6840, window 0xffffffff, idle timeout value <0>, idled 0 seconds
  next pak sequence number: 0x0
outgoing: SPI 7bz2a942, flag 00000000, tunnel info 40000296, pipeline
  life 86400 sec, 19761 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 0 seconds
  next pak sequence number: 0x89j9c

Running a Debug

Here we will run a debug so we can obtain a more verbose view of what is happening to our traffic.

netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint] 
netscreen(M)-> undebug all
netscreen(M)-> clear db
netscreen(M)-> debug ike basic
netscreen(M)-> debug flow basic
netscreen(M)-> get db str
  Permitted by policy 109
  No src xlate   choose interface ethernet5 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet5
  vsd 0 is active
  no loop on ifp ethernet5.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet2>, out <ethernet5>
  existing vector list 25-6870620.
  Session (id:127345) created for first pak 25
  cache mac in the session
  search route to (ethernet5, [remote endpoint]->[local endpoint]) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet2
  [Dest] 10.route [local endpoint]->[next hop], to ethernet2
  route to [next hop]
  nsrp msg sent.
  flow got session.
  flow session id 127345
  vsd 0 is active
  skipping pre-frag 
  going into tunnel 40000266.
  flow_encrypt: pipeline.
chip info: DMA. Tunnel id 00000266
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
    put packet(557a0f0) into flush queue.
    remove packet(557a0f0) out from flush queue.

If the tunnel does not come up you can use the following debug:

netscreen(M)-> ike detail set sa-filter [IP]

Event Logs

In addition to check the Logs that the traffic is being passed you can check for Phase 1 and Phase 2 errors from the devices event logs.

netscreen(M)-> get event include [peer ip]

Rekey the VPN

For steps on how to rekey a VPN click here.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial