Troubleshooting SD-WAN in Infinity Portal

Symptom:

  1. In the WAN Link Mapping window, the yellow triangle icon appears near an SD-WAN Security Gateway.

  2. When you hover the mouse cursor over this icon, the information popup appears:

    This Gateway has no SD-WAN interfaces defined. Please complete the missing configuration using GAIA Portal.

Example:

Solution:

  1. In Infinity Portal:

    1. In the Quantum SD-WAN application, go to the Network view > Agents page.

    2. At the top, click the List View button.

    3. The top section must show the SD-WAN Security Gateway object.

    4. Click the SD-WAN Security Gateway object.

    5. The bottom section must show:

      1. Status: Connected

      2. Policy version: <Integer Value>

  2. In SmartConsole:

    1. From the left navigation panel, click Gateways & Servers.

    2. Open the Security Gateway object.

    3. In the left pane, click Network Management.

    4. Examine the configuration of interfaces:

      • The names of interface (you can click Get Interfaces > Get Interface with Topology (do not click Accept) to see the actual interface names.

      • The topology of the SD-WAN interfaces must be External (otherwise, they do not appear in the WAN Link Mapping window).

  3. On the Security Gateway, examine the interface configuration in one of these ways:

    • On the Security Gateway:

      • In Gaia Portal:

        Network Interfaces page > SD-WAN Interfaces section

      • In Gaia Clish:

        show interface <Name of Interface> sdwan

        or

        show configuration sdwan

      • In the Expert mode:

        sdwan_conf show

    • On the Quantum Spark Appliance:

      Make sure you configured Internet connections in one of these ways:

      • In WebUI:

        Device view > Network section > Internet

      • In Gaia Clish:

        show internet-connections

      • In the Expert mode:

        sdwan_conf show

  4. On the Security Gateway, examine the Nano-Agent status:

    1. Log in to the Expert mode.

    2. Run:

      cpnano -s

      All statuses must be Succeeded or Running.

  5. On the Security Gateway, make sure the Access Control Policy is installed:

    cpstat -f policy fw

Symptom:

In Infinity Portal > Quantum SD-WAN application > the Network view > SD-WAN Policy page > WAN Link Mapping window still shows an SD-WAN Security Gateway object, although an administrator deleted its object in SmartConsole.

Solution:

  1. In Infinity Portal > Quantum SD-WAN application, delete the SD-WAN Security Gateway object from all profiles of type "SD-WAN Profile":

    1. Go to the Network view > Profiles page.

    2. Click a profile of type "SD-WAN Profile".

    3. Click the General tab.

    4. In the SD-WAN Gateways section, click the SD-WAN Security Gateway object.

    5. From the top toolbar, click Delete (the "x" icon).

  2. In Infinity Portal > Quantum SD-WAN application, delete the SD-WAN Security Gateway object from the Agents page:

    1. Go to the Network view > Agents page.

    2. Delete the SD-WAN Security Gateway object:

      • In the Grid View:

        In the SD-WAN Security Gateway object, in the top right corner, click the 3-dots and click Delete.

      • In the List View:

        Click the SD-WAN Security Gateway object > from the top toolbar, click Delete (the "garbage can" icon).

  3. At the top, click Publish.

Symptom:

Some network objects are missing in Infinity Portal > Quantum SD-WAN application > Network view > SD-WAN Policy page > in the picker of the Source and / or Destination fields or rules.

Solution:

Make sure the required object appears in Quantum SD-WAN application > Network view > Assets page.

  • The object appears on the Assets page:

    Contact Check Point Support.

  • The object does not appear on the Assets page:

    1. In SmartConsole, make sure this object exists.

    2. In SmartConsole, make sure you published the session that created this object.

    3. In SmartConsole, make sure the Management Server is connected correctly to Infinity Portal:

      1. From the left navigation panel, click Infinity Services.

      2. At the top of this page, the Infinity Portal Account must appear with the status Active.

      3. At the bottom of this page, Configuration Sharing must show:

        1. It is enabled (to verify, click the Edit button).

        2. Its status is Active (green).

        3. The last sync time is after the last publish.

      4. If Configuration Sharing shows the status "Error", or if the last sync is not up to date, then follow sk181504.

        • If sk181504 did not resolve the issue, or if your Management Server is Smart-1 Cloud, then contact Check Point Support.

        • If Configuration Sharing shows the status "Active", and the last sync time is after the last publish, but the issue persists, then contact Check Point Support.

Symptom:

  • Although you configured a rule to steer specific traffic, the Security Gateway does not match this traffic to the configured rule.

  • After you added or removed network objects in a Network Group object that you use in a SD-WAN rule, the Security Gateway does not match the traffic as expected.

Solution:

  1. In SmartConsole, on the Infinity Services view, make sure the Configuration Sharing is enabled, it status is Active, and the last sync time is after the last session publish.

    See the scenario "Missing network objects in Infinity Portal SD-WAN".

  2. After the last sync time in SmartConsole > Infinity Services view, in Infinity Portal > Quantum SD-WAN, from the top toolbar, click Enforce to get the updated objects.

  3. Make sure the Security Gateway / each Cluster Member received the latest SD-WAN policy.

    Run on the Security Gateway / each Cluster Member:

    cpsdwan stat

    Compare the policy version in the output to the policy version in Infinity Portal > Quantum SD-WAN.

  4. Create the problematic connection again.

    In SmartConsole > Logs & Events view > Logs tab, examine the corresponding log record - refer to the SD-WAN section.

    Alternatively, run this kernel debug on the Security Gateway / each Cluster Member (schedule a maintenance window):

    1. Start the kernel debug (see Troubleshooting SD-WAN with Kernel Debug):

      fw ctl zdebug -m SDWANRB all | grep PROB

    2. Create the problematic connection again.

    3. Stop the kernel debug by pressing the CTRL+C keys.

    4. Reset the kernel debug options:

      fw ctl debug 0

  5. If the traffic still does not match the expected SD-WAN rule:

    Important:

    Instructions:

    1. Start the kernel debug on the Security Gateway / each Cluster Member:

      fw ctl debug 0

      fwaccel dbg resetall

      fw ctl debug -buf 8200

      fw ctl debug -m SDWAN all

      fw ctl debug -m SDWANRB all

      fw ctl debug -m APPI all

      fw ctl debug -m UP all

      fw ctl debug -m fw + drop conn

      fwaccel dbg -m default all

      fwaccel dbg -m sdwan all

      fwaccel dbg -m api all

      fw ctl kdebug -T -f > /var/log/kernel_debug.txt

    2. Create the problematic connection again.

      Write down the connections details - Start time, Source IP address, Source port, Destination IP address, Destination port, Protocol.

    3. Press the CTRL+C keys to stop the kernel debug on the Security Gateway / each Cluster Member.

    4. Reset the kernel debug options on the Security Gateway / each Cluster Member:

      fw ctl debug 0

      fwaccel dbg resetall

    5. Contact Check Point Support and include these files and details from the Security Gateway / each Cluster Member:

      1. /var/log/kernel_debug.txt

      2. The connections details - Start time, Source IP address, Source port, Destination IP address, Destination port, Protocol.

      3. CPinfo file (sk92739)

      4. $FWDIR/log/sdwan_steering.elg

      5. $FWDIR/log/cpsdwan.elg

      6. $FWDIR/state/local/SDWAN/sdwan_steering_policy.json

      7. /var/log/nano_agent/cp-nano-sdwan.dbg

      8. /var/log/nano_agent/cp-nano-orchestration.dbg

      9. Output of the "cpsdwan stat" command.

      10. From SmartConsole, copy all details from the corresponding log (double-click the log record and click the Copy button).

      11. From SmartConsole, provide the details of the involved Network Group object - the name of the object, the IP addresses of each child object.

      12. From Infinity Portal > Quantum SD-WAN application > Network view > SD-WAN Policy page, copy all details from the corresponding SD-WAN rules.