Scribd Logo
Carica

Benvenuto in Scribd!

  • How To Troubleshoot VPN Connectivity Issues Palo Alto Networks Live

    Caricato da

    Chau Nguyen
    2K visualizzazioni3 pagine
    PCNSE7-course201-Day3-Site to Site VPN

    Titolo originale

    How to Troubleshoot VPN Connectivity Issues  Palo Alto Networks Live

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    PCNSE7-course201-Day3-Site to Site VPN

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    2K visualizzazioni3 pagine

    How To Troubleshoot VPN Connectivity Issues Palo Alto Networks Live

    Caricato da

    Chau Nguyen
    PCNSE7-course201-Day3-Site to Site VPN

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 3

    How to Troubleshoot VPN Connectivity Issues | Palo Alto Networks Live 3/25/15, 6:00 AM

    All Places > Knowledge Base > Documents

    How to Troubleshoot VPN Connectivity


    Issues Version 8

    created by kprakash on Aug 28, 2012 2:37 PM, last modified by panagent on Jan 15, 2015 6:25 PM

    Phase 1
    Try pinging the peer IP from the PA external interface. This is to rule out ISP related issues. Ensure that pings
    are enabled on the peers external interface
    If pings have been blocked per security requirements, check if the other peer is responding to the
    main/aggressive mode messages, or the DPDs (Check for the responses of the "Are you there?" messages
    from the peer in the system logs in the Monitor tab or under ikemgr logs)
    Check whether the ike identity is configured correctly
    Check if the policy is in place to permit IKE and IPSEC applications. Usually this policy is not required if
    there is no clean up rule configured on the box. If a clean-up rule is configured, the policy is configured
    usually from the external zone to the external zone.
    Check if proposals are correct (If incorrect, logs about the mismatch can be found under the system logs, or
    using the command less mp-log ikemgr
    Check if preshared key is correct (If incorrect, logs about the mismatch can be found under the system logs,
    or using the command less mp-log ikemgr
    Take packet captures to analyze the trac. Use filters to narrow the scope of the captured trac.

    Useful commands:
    > show vpn ike-sa gateway <name>
    > test vpn ike-sa gateway <name>
    > debug ike stat

    Advanced commands:
    For detailed logging, turn on the logging level to "debug".
    > debug ike global on debug
    > less mp-log ikemgr.log

    To view the main/aggressive and the quick mode negotiations, it is possible to turn on pcaps for capturing these
    negotiations. Please note that the messages 5 and 6 on-wards in the main mode and all the packets in the quick
    mode have their data payload encrypted.
    > debug ike pcap on
    > view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap

    Turn o the debugs


    > debug ike pcap off

    https://live.paloaltonetworks.com/docs/DOC-3671 Page 1 of 4
    How to Troubleshoot VPN Connectivity Issues | Palo Alto Networks Live 3/25/15, 6:00 AM

    Configuring packet filter and captures will restrict pcaps only to the one worked on, debug ike pcap on will show
    pcaps for all the vpn trac.

    To check if NAT-T is enabled, packets will be on port 4500 instead of 500 from the 5th and 6th messages of main
    mode.
    Check if vendor id of the peer is supported on our box and vice-versa

    Phase 2
    Check if the firewalls are negotiating the tunnels, and ensure that 2 unidirectional SPIs exist:
    > show vpn ipsec-sa
    > show vpn ipsec-sa tunnel <tunnel.name>

    Check if proposals are correct (If incorrect, logs about the mismatch can be found under the system logs under
    the monitor tab, or using the command less mp-log ikemgr
    Check if pfs is enabled on both ends (If incorrect, logs about the mismatch can be found under the system logs
    under the monitor tab, or using the command less mp-log ikemgr
    Check the proxy-id configuration. This is usually not required when the tunnel is between two Palo Alto Networks
    firewalls, but when the peer is from another vendor, IDs usually need to be configured.
    A mismatch would be indicated under the system logs, or using the command:
    > less mp-log ikemgr

    Useful commands:
    > show vpn flow name <tunnel.id/tunnel.name>
    > show vpn flow name <tunnel.id/tunnel.name> | match bytes (Check if encapsulation and
    decapsulation bytes increasing. If the firewall is passing trac fine both of these values should be
    increasing)
    > show vpn flow name <tunnel.id/tunnel.name> | match bytes (If encapsulation bytes are
    increasing and decapsulation is constant, that means the firewall are sending packets but not receiving );
    check if there is no policy that is dropping the trac, or if there is a port translating device in front of PAN
    that might be dropping the ESP packets.
    > show vpn flow name <tunnel.id/tunnel.name> | match bytes (If decapsulation bytes are
    increasing and encapsulation is constant, that means the firewall is receiving packets but not transmitting );
    check if there is no policy that is dropping the trac
    > test routing fib-lookup virtual-router default ip <destination IP>
    --------------------------------------------------------------------------------
    runtime route lookup
    --------------------------------------------------------------------------------
    virtual-router: default
    destination: 10.5.1.1
    result: interface tunnel.1
    > show routing route

    https://live.paloaltonetworks.com/docs/DOC-3671 Page 2 of 4
    How to Troubleshoot VPN Connectivity Issues | Palo Alto Networks Live 3/25/15, 6:00 AM

    Advanced commands:
    > debug ike global on debug
    > less mp-log ikemgr.log
    > debug ike pcap on
    > view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap
    > debug ike pcap off

    If tunnels are up but trac is not passing through the tunnel:


    Check security policy and/or routing
    Check if there is port address translating device in front of PAN that is translating port. ESP packets do not
    have ports number, it is a layer 3 protocol. When that device sees ESP packets without ports, it will drop it.
    Apply debug packet filters, captures or logs if necessary to isolate the issue where the trac is getting
    dropped.

    owner: kprakash

    14649 Views Categories: VPN Tags: vpn, ipsec, ike

    Average User Rating

    (22 ratings)

    5 Comments

    MattJamison Nov 6, 2014 5:41 AM

    admin@firewall> less mp-log ikemgr


    /var/log/pan/ikemgr: No such file or directory

    Any ideas? Trying to get a tunnel up between my PA-200 running 6.1 and a VYOS box, it seems like there is
    absolutely no trac passing, even though if I remove the VYOS host from my allow vpn rule, i'm seeing lots
    of deny messages but once I allow, no more messages.
    Like (0)

    jdelio Nov 6, 2014 1:04 PM (in response to MattJamison)

    I am sorry, the documentation was o just slightly..


    The command needs to read:
    > less mp-log ikemgr.log

    If ever in doubt, use "tab" as it will autocomplete via the CLI.

    Please try that and see if that provides you with any more information.

    https://live.paloaltonetworks.com/docs/DOC-3671 Page 3 of 4

    Potrebbero piacerti anche