vpn debug

Background

Starting in R81.10, separate daemons handle different VPN connections:

The VPN daemon vpnd.

Handles these VPN connections:
- Site-to-Site connections from peer Security Gateways with a Statically Assigned IP address
- All connections from non-IPsec Remote Access clients (SSL Network Extender)
- Multi-Portal traffic
The VPN daemon on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. listens on these ports:
- IKE: 500 (UDP)
- IKE NAT-T: 4500 (UDP)
- Tunnel Test: 18234 (UDP)
- L2TP: 1701 (UDP)
- Reliable Data Protocol (RDP): 259 (UDP)
- Session infrastructure manager: 9996 (TCP)
This process is a child of the FWD process (see the $FWDIR/conf/fwauthd.conf file on a Security Gateway).

The IKE daemon iked (introduced in R81.10).

Handles these VPN connections:

All connections from IKE Remote Access clients clients (for example, Endpoint clients)
Site-to-Site connections from peer Security Gateways with a Dynamically Assigned IP address (DAIP)
Large Scale VPN (LSV) connections
Connections from SmartLSM ROBO gateways

Listens on these ports on a Security Gateway:

IKE: 30500 - 30563 (UDP)
IKE NAT-T: 34500 - 34563 (UDP)
Tunnel Test: 48234 - 48297 (UDP)
Reliable Data Protocol (RDP): 30259 - 30322 (UDP)
L2TP: 31701 - 31764 (UDP)

CLI Syntax: vpn iked

Starting in R81.20, there can be a maximum of 64 instances of the iked daemon that are calculated based on this formula:

Number of IKED instances = (Number of CoreXL Firewall Instances) / (Value of Kernel Parameter 'ike_num_instances_per_daemon')

Note - You can configure different values for the kernel parameter 'ike_num_instances_per_daemon'.

The CCC daemon cccd (introduced in R81.10).

Responsible for the Circuit Cross-Connect (CCC) protocol, while:
- IKE for the same clients runs in the IKE daemon iked
- CCC TLS for the same clients runs in the VPN daemon vpnd
CLI Syntax: vpn cccd

This process is a child of the FWD process (see the $FWDIR/conf/fwauthd.conf file on a Security Gateway).

Disabling the IKE daemon "iked"

It is possible to configure the Security Gateway to disable the IKE daemon iked and work in the legacy mode, in which the VPN daemon vpnd handles all VPN connections.

Procedure

Step

Instructions

Connect to the command line on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster..

Examine the current status:

vpn iked status

Possible outputs:

vpn: 'iked' is enabled

Means the IKE daemon iked is enabled (new mode in R81.10 and higher).

This is the default.

Proceed to the next step.
vpn: 'iked' is disabled

Means the IKE daemon iked is disabled (legacy mode as in R81 and lower).

There is nothing to do.

Disable the IKE daemon:

vpn iked disable

Important

This command makes the required changes in the $FWDIR/boot/modules/fwkern.conf file.
This command installs the local policy, which can disconnect your SSH session.
This change survives reboot.

To enable the IKE daemon iked after you disable it, run this command:

vpn iked enable

Important

This command makes the required changes in the $FWDIR/boot/modules/fwkern.conf file.
This command installs the local policy, which can disconnect your SSH session.
This change survives reboot.

Disabling the CCC daemon "cccd"

It is possible to configure the Security Gateway to disable the CCC daemon cccd and work in the legacy mode, in which the VPN daemon vpnd handles all VPN connections.

Procedure

Step

Instructions

Connect to the command line on the Security Gateway / each Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.

Examine the current status:

vpn cccd status

Possible outputs:

vpn: 'cccd' is enabled

Means the CCC daemon cccd is enabled (new mode in R81.10 and higher).

This is the default.

Proceed to the next step.
vpn: 'cccd' is disabled

Means the CCC daemon cccd is disabled (legacy mode as in R81 and lower).

There is nothing to do.

Disable the CCC daemon:

vpn cccd disable

Important

This command makes the required changes in the $FWDIR/boot/modules/fwkern.conf file.
This command installs the local policy, which can disconnect your SSH session.
This change survives reboot.

To enable the CCC daemon cccd after you disable it, run this command:

vpn cccd enable

Important

This command makes the required changes in the $FWDIR/boot/modules/fwkern.conf file.
This command installs the local policy, which can disconnect your SSH session.
This change survives reboot.

Description

This "vpn debug" command instructs the VPN daemon vpnd to write debug messages to these log files:

File Description	VPND Log File	IKED Log File for Each Instance	CCCD Log File
Main debug output file	`$FWDIR/log/vpnd.elg*`	`$FWDIR/log/iked0.elg` `$FWDIR/log/iked1.elg` ... ... `$FWDIR/log/iked64.elg`	`$FWDIR/log/cccd.elg`
IKEv1 output	`$FWDIR/log/vpnd.ikev1trace`	`$FWDIR/log/iked0.ikev1trace` `$FWDIR/log/iked1.ikev1trace` ... ... `$FWDIR/log/iked64.ikev1trace`	N / A
IKEv2 output	`$FWDIR/log/vpnd.ikev2trace`	`$FWDIR/log/iked0.ikev2trace` `$FWDIR/log/iked1.ikev2trace` ... ... `$FWDIR/log/iked64.ikev2trace`	N / A

File Description

VPND Log File

IKED Log File for Each Instance

CCCD Log File

Main debug output file

$FWDIR/log/vpnd.elg*

$FWDIR/log/iked0.elg

$FWDIR/log/iked1.elg

... ...

$FWDIR/log/iked64.elg

$FWDIR/log/cccd.elg

IKEv1 output

$FWDIR/log/vpnd.ikev1trace

$FWDIR/log/iked0.ikev1trace

$FWDIR/log/iked1.ikev1trace

... ...

$FWDIR/log/iked64.ikev1trace

N / A

IKEv2 output

$FWDIR/log/vpnd.ikev2trace

$FWDIR/log/iked0.ikev2trace

$FWDIR/log/iked1.ikev2trace

... ...

$FWDIR/log/iked64.ikev2trace

N / A

Debugging of the VPN daemon vpnd is based on Debug Topics and Debug Levels:

A Debug Topic is a specific area, on which to perform debugging.

For example, if the Debug Topic is LDAP, all traffic between the VPN daemon and the LDAP server is written to the log file.

Check Point Support provides the specific Debug Topics when needed.
Debug Levels range from 1 (least informative) to 5 (most informative - write all debug messages).

For more information, see sk180488.

In addition, see ike debug.

Syntax

vpn debug

on [<Debug_Topic>=<Debug_Level>]

off

ikeon [-s <Size_in_MB>]

ikeoff

trunc [<Debug_Topic>=<Debug_Level>]

truncon [<Debug_Topic>=<Debug_Level>]

truncoff

timeon [<Seconds>]

timeoff

ikefail [-s <Size_in_MB>]

mon

moff

say ["String"]

tunnel [<Level>]

Parameters

Parameter

Description

No Parameters

Shows the built-in usage.

on

Turns on high level VPN debug.

The debug writes the information in the $FWDIR/log/vpnd.elg* files.

Note - If you disabled the IKE daemon iked to work in the legacy mode, then the debug also writes the information in the $FWDIR/log/iked<Index>.ikev1trace and $FWDIR/log/iked<Index>.ikev2trace files.

<Debug_Topic>=<Debug_Level>

Specifies the Debug Topic and the Debug Level.

Check Point Support provides these.

Best Practice - Run this command to start the VPN debug:

vpn debug trunc ALL=5

off

Turns off the VPN debug (in legacy mode, also turns off the IKE debug).

Best Practice - Run one of these commands to stop the VPN daemon debug:

vpn debug off

vpn debug truncoff

ikeon [-s <Size_in_MB>]

Note - Applies only if you disabled the IKE daemon iked to work in the legacy mode.

Turns on the IKE trace.

The debug writes the information in the $FWDIR/log/iked<Index>.ikev1trace and $FWDIR/log/iked<Index>.ikev2trace files.

You can specify the size of these files, when to perform the log rotation (close the current active file, rename it, open a new active file).

ikeoff

Note - Applies only if you disabled the IKE daemon iked to work in the legacy mode.

Turns off the IKE trace.

Run this command to stop the IKE trace:

vpn debug ikeoff

trunc

truncon

This command:

Rotates the $FWDIR/log/vpnd.elg file
If you disabled the IKE daemon iked to work in the legacy mode:
1. Truncates the $FWDIR/log/iked<Index>.ikev1trace file
2. Truncates the $FWDIR/log/iked<Index>.ikev2trace file
Starts the VPN daemon vpnd debug
If you disabled the IKE daemon iked to work in the legacy mode:
1. Starts the IKE debug

Best Practice - Run this command to start the VPN debug:

vpn debug trunc ALL=5

truncoff

Stops the VPN daemon debug.

Run one of these commands to stop the VPN debug:

vpn debug truncoff

vpn debug off

timeon [<Seconds>]

Enables the timestamp in the log files.

Prints one timestamp after the specified number of seconds.

By default, prints the timestamp every 10 seconds.

timeoff

Disables the timestamp in the log files every number of seconds.

ikefail [-s <Size_in_MB>]

Note - Applies only if you disabled the IKE daemon iked to work in the legacy mode.

Logs failed IKE negotiations.

You can specify the size of the $FWDIR/log/iked<Index>.ikev1trace and $FWDIR/log/iked<Index>.ikev2trace files, when to perform the log rotation (close the current active file, rename it, open a new active file).

mon

Note - Applies only if you disabled the IKE daemon iked to work in the legacy mode.

Enables the IKE Monitor.

Writes the IKE packets in the $FWDIR/log/ikemonitor.snoop file.

Warning - The output file may contain user X-Auth passwords. Make sure the file is protected.

moff

Note - Applies only if you disabled the IKE daemon iked to work in the legacy mode.

Disables the IKE Monitor.

say "String"

Writes the specified text string in the $FWDIR/log/vpnd.elg file.

For example, run: vpn debug say "BEGIN TEST"

Notes:

Run this command after you start the VPN debug (with one of these commands: "vpn debug on", "vpn debug trunc", or "vpn debug truncon").
The length of the string is limited to 255 characters.

tunnel [<Debug_Level>]

This command:

Rotates the $FWDIR/log/vpnd.elg file
Truncates the $FWDIR/log/iked<Index>.ikev1trace file
Truncates the $FWDIR/log/iked<Index>.ikev2trace file
Starts the VPN daemon debug with these two Debug Topics:

tunnel

ikev2

If the <Debug_Level> is 2,3,4 or 5, then also enables this Debug Topic:

CRLCache
Starts the IKE debug (if you disabled the IKE daemon iked to work in the legacy mode)

Return Values

0 (zero) for success
any other value for failure (typically, -1 or 1)