In this example we will run through various steps to troubleshoot a Site 2 Site VPN.
Confirm General Details
This will give us a general overview of our vpn.
netscreen(M)-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface --------------- --------------- ---- ----- -------------------- ------- ------- ---------- sitea_vpn sitea tunl Yes g2-esp-3des-sha off 0 eth5 siteb_vpn siteb tunl Yes g2-esp-3des-sha off 2 eth5 sitec_vpn sitec tunl Yes g2-esp-3des-sha off 0 eth5 sited_vpn sited tunl Yes g2-esp-3des-sha off 0 eth5
Confirm Phase 1
To confirm whether IKE has been successful you can run the following command. You may find though that there is no IKE cookie but there is a Phase 2 Security Assicoation. This is due to the Phase 1 IKE lifetime being set to a value less then the IKE Phase 2 lifetime. You can find additional details here.
netscreen(M)-> get ike cookie | i [remote peer ip] 80522f/0003, [local peer]:500->[remote peer]:500, PRESHR/grp2/AES256/SHA, xchg(5) (Example/grp- 1/usr-1)
Confirm Phase 2
From the get sa command you can see the status and various details of the Security Assiociations. The section below which is highlighted in bold shows the status of the vpn tunnel (left) and the status of the VPN monitor (right). In this case the VPN tunnel is active and the VPN monitor is dashed out as it isnt enabled.
netscreen(M)-> get sa | i [peer ip] 00000007< [peer ip] 500 esp:3des/md5 zbcA14zz 3317 unlim A/- 22 0 00000007> [peer ip] 500 esp:3des/md5 fbcb64ee 3317 unlim A/- -1 0
Using the SA ID we can confirm additional details of the Phase 2 SA.
netscreen(M)-> get sa id 0x00000007 index 49, name Example, peer gateway ip [remote peer]. vsys<Root> auto key. policy node, tunnel mode, policy id in:<10104> out:<10103> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 662, peer id 52, NSRP Active. Vsd 0 site-to-site. Local interface is ethernet5 <[local peer]>. esp, group 0, a256 encryption, sha1 authentication autokey, IN active, OUT active monitor<0>, latency: 0, availability: 0 DF bit: clear app_sa_flags: 0x2067 proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0 ike activity timestamp: 590051543 nat-traversal map not available incoming: SPI 9j32882e, flag 00004000, tunnel info 40000296, pipeline life 86400 sec, 19761 remain, 0 kb, 0 bytes remain anti-replay on, last 0xb6840, window 0xffffffff, idle timeout value <0>, idled 0 seconds next pak sequence number: 0x0 outgoing: SPI 7bz2a942, flag 00000000, tunnel info 40000296, pipeline life 86400 sec, 19761 remain, 0 kb, 0 bytes remain anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 0 seconds next pak sequence number: 0x89j9c
Running a Debug
Here we will run a debug so we can obtain a more verbose view of what is happening to our traffic.
netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint] netscreen(M)-> undebug all netscreen(M)-> clear db netscreen(M)-> debug ike basic netscreen(M)-> debug flow basic netscreen(M)-> get db str ! ! Permitted by policy 109 No src xlate choose interface ethernet5 as outgoing phy if check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet5 vsd 0 is active no loop on ifp ethernet5. session application type 0, name None, nas_id 0, timeout 60sec service lookup identified service 0. flow_first_final_check: in <ethernet2>, out <ethernet5> existing vector list 25-6870620. Session (id:127345) created for first pak 25 flow_first_install_session======> cache mac in the session make_nsp_ready_no_resolve() search route to (ethernet5, [remote endpoint]->[local endpoint]) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet2 [Dest] 10.route [local endpoint]->[next hop], to ethernet2 route to [next hop] nsrp msg sent. flow got session. flow session id 127345 vsd 0 is active skipping pre-frag going into tunnel 40000266. flow_encrypt: pipeline. chip info: DMA. Tunnel id 00000266 (vn2) doing ESP encryption and size =64 ipsec encrypt prepare engine done ipsec encrypt set engine done ipsec encrypt engine released ipsec encrypt done put packet(557a0f0) into flush queue. remove packet(557a0f0) out from flush queue.
If the tunnel does not come up you can use the following debug:
netscreen(M)-> ike detail set sa-filter [IP]
Event Logs
In addition to check the Logs that the traffic is being passed you can check for Phase 1 and Phase 2 errors from the devices event logs.
netscreen(M)-> get event include [peer ip]
Rekey the VPN
For steps on how to rekey a VPN click here.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial