Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

VPN Packet Tracking (bcstats)

You can run these commands to monitor the IPSEC packet flow.

To see:

Run:

Source and destination IP addresses

  • g_tcpdump for ip proto 50

    (For Site-to-Site VPN)

  • g_tcpdump for UDP port 4500

    (For SecureClient and Endpoint VPN clients)

Which SGM encrypted packets are forwarded to

bcstats vpn -v

Which SGM holds the outbound SA

g_fw tab -t outbound_SPI -f

Search for MSPI in the output. MSPI is the Meta SA, and shows which SGM holds the outbound SA.

Example - g_fw tab

# fw tab —t outbound_sPI —f
using cptfmt
Formatting table’s data — this might take a while...
local host:
Date: Nov 14, 2011
12:37:15 172.16.6.171 > : (+)====================================(÷); Table_Name: outbound_sPi; : (÷); Attributes: dynamic, id 285,
attributes: keep, sync, kbuf 6 7, expires 3600, limit 20400, hashsize 32768; product: VPN—1 & Firewall—1;
12:37:15 1172.16.6.171 >1 : (+); peer: 172.16.6.189; ,sPi: fs9baoec; CPTFMT_sep:   sPI: 1; Ic00MB1: c5364f5e6414aad9; ,cookieR:
95a478b10f9544a6; Expires: 3540/3610; product: VPN—1 & Firewall—1;

The output can include Security Associations (SAs) with an MSPI of 0. These are dummy SAs and can safely be ignored.

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print