VSX Diagnostics and Troubleshooting

This chapter presents basic diagnostic and troubleshooting procedures that should be followed in the event you encountering a problem while working with VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts.. This diagnostic routine will assist you in determining the source of the problem. This chapter presents several known issues and their solutions.

Most problems are caused by configuration errors occurring during the process of defining VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., clusters and/or Virtual Devices. Another common source of problems involves networking and connectivity issues affecting VSX behavior. These problems are listed according to the order in which you will likely encounter them. Before reading and following a certain workaround, make sure you've read all the previous workarounds, and that those steps in the configuration were successful.

In some of the cases, one initial problem can cause problems in later stages of the configuration. For that reason, it is important to find the root of the problem when you are trying to understand what went wrong.

General Troubleshooting Steps

If you suspect that there is a problem with your VSX configuration, there are several diagnostic procedures that you can follow to determine the source. These procedures utilize various commands documented in the Command Line Reference.

  1. Perform a basic configuration check for each gateway or cluster memberClosed Security Gateway that is part of a cluster. by running the fw vsx stat -vcommand. The output will allow you to:

    1. Account for all Virtual Systems and verify that none are missing from the configuration.

    2. Verify that all Virtual Devices are active

    3. Verify that the correct security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. is installed for each Virtual SystemClosed Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS.

    4. Verify the SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust has been established with the management server

  2. Run the cplic print command on each VSX Gateway, clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. member and management server to verify that you have the appropriate licenses installed.

  3. Run the cphaprob stat command on each cluster member to verify its status. If a member is listed with a status other than Active, Standby, or Backup, refer to the "Troubleshooting" chapter in the R80.20 ClusterXL Administration Guide for additional troubleshooting assistance.

  4. If you suspect that a Virtual System is experiencing connectivity problems, perform the following steps:

    1. Run: vsenv to set the context to the appropriate Virtual System.

    2. Run fw getifs to display the interface list for the Virtual System.

    3. Examine connectivity status using standard operating system commands and tools such as: ping, traceroute, tcpdump, ip route, ftp, etc. Some of these run according to context (i.e. routing, source and destination IP addresses). .

    You can also execute the ip route and ip link commands.

    If these tests indicate that all interfaces and routers have connectivity, and appear to be functioning correctly, you should monitor the passage of packets through the system.

  5. Execute the fw monitor -v <vsid> commands to capture details of packets at multiple points. This may return multiple reports on the same packet as it passes various capture points. This command does not report on Virtual Routers, except for packets destined to an external Virtual RouterClosed Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR..

    Note- The Performance Pack may have an adverse effect on the capabilities of the fw monitor command.

  6. Execute the tcpdumpcommand to display transmitted or received packets for specific interfaces, including Warp interfaces. This often provides valuable clues for resolving connectivity issues.