vpn debug
Background
Starting in R81.10, separate daemons handle different VPN connections:
-
The VPN daemon
vpnd
.Handles these VPN connections:
-
Site-to-Site connections from peer Security Gateways with a Statically Assigned IP address
-
All connections from non-IPsec Remote Access clients (SSL Network Extender)
-
Multi-Portal traffic
The VPN daemon on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. listens on these ports:
-
IKE: 500 (UDP)
-
IKE NAT-T: 4500 (UDP)
-
Tunnel Test: 18234 (UDP)
-
L2TP: 1701 (UDP)
-
Reliable Data Protocol (RDP): 259 (UDP)
-
Session infrastructure manager: 9996 (TCP)
This process is a child of the FWD process (see the
$FWDIR/conf/fwauthd.conf
file on a Security Gateway). -
-
The IKE daemon
iked
(introduced in R81.10).Handles these VPN connections:
-
All connections from IKE Remote Access clients clients (for example, Endpoint clients)
-
Site-to-Site connections from peer Security Gateways with a Dynamically Assigned IP address (DAIP)
-
Large Scale VPN (LSV) connections
-
Connections from SmartLSM ROBO gateways
Listens on these ports on a Security Gateway:
-
IKE: 30500 - 30563 (UDP)
-
IKE NAT-T: 34500 - 34563 (UDP)
-
Tunnel Test: 48234 - 48297 (UDP)
-
Reliable Data Protocol (RDP): 30259 - 30322 (UDP)
-
L2TP: 31701 - 31764 (UDP)
CLI Syntax:
vpn iked
Starting in R81.20, there can be a maximum of 64 instances of the
iked
daemon that are calculated based on this formula:Number of IKED instances = (Number of CoreXL Firewall Instances) / (Value of Kernel Parameter 'ike_num_instances_per_daemon')
Note - You can configure different values for the kernel parameter '
ike_num_instances_per_daemon
'. -
-
The CCC daemon
cccd
(introduced in R81.10).Responsible for the Circuit Cross-Connect (CCC) protocol, while:
-
IKE for the same clients runs in the IKE daemon
iked
-
CCC TLS for the same clients runs in the VPN daemon
vpnd
CLI Syntax:
vpn cccd
This process is a child of the FWD process (see the
$FWDIR/conf/fwauthd.conf
file on a Security Gateway). -
Disabling the IKE daemon "iked"
It is possible to configure the Security Gateway to disable the IKE daemon iked
and work in the legacy mode, in which the VPN daemon vpnd
handles all VPN connections.
Step |
Instructions |
|||
---|---|---|---|---|
1 |
Connect to the command line on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster.. |
|||
2 |
Log in to the Expert mode. |
|||
3 |
Examine the current status:
Possible outputs:
|
|||
4 |
Disable the IKE daemon:
|
To enable the IKE daemon iked
after you disable it, run this command:
|
|
Important
|
Disabling the CCC daemon "cccd"
It is possible to configure the Security Gateway to disable the CCC daemon cccd
and work in the legacy mode, in which the VPN daemon vpnd
handles all VPN connections.
Step |
Instructions |
|||
---|---|---|---|---|
1 |
Connect to the command line on the Security Gateway / each Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member. |
|||
2 |
Log in to the Expert mode. |
|||
3 |
Examine the current status:
Possible outputs:
|
|||
4 |
Disable the CCC daemon:
|
To enable the CCC daemon cccd
after you disable it, run this command:
|
|
Important
|
Description
This "vpn debug
" command instructs the VPN daemon vpnd
to write debug messages to these log files:
Debugging of the VPN daemon vpnd
is based on Debug Topics and Debug Levels:
-
A Debug Topic is a specific area, on which to perform debugging.
For example, if the Debug Topic is
LDAP
, all traffic between the VPN daemon and the LDAP server is written to the log file.Check Point Support provides the specific Debug Topics when needed.
-
Debug Levels range from 1 (least informative) to 5 (most informative - write all debug messages).
For more information, see sk180488.
In addition, see ike debug.
Syntax
|
Parameters
Parameter |
Description |
||||
---|---|---|---|---|---|
No Parameters |
Shows the built-in usage. |
||||
|
Turns on high level VPN debug. The debug writes the information in the Note - If you disabled the IKE daemon |
||||
|
Specifies the Debug Topic and the Debug Level. Check Point Support provides these.
|
||||
|
Turns off the VPN debug (in legacy mode, also turns off the IKE debug).
|
||||
|
Note - Applies only if you disabled the IKE daemon Turns on the IKE trace. The debug writes the information in the You can specify the size of these files, when to perform the log rotation (close the current active file, rename it, open a new active file). |
||||
|
Note - Applies only if you disabled the IKE daemon Turns off the IKE trace. Run this command to stop the IKE trace:
|
||||
or
|
This command:
|
||||
|
Stops the VPN daemon debug. Run one of these commands to stop the VPN debug:
|
||||
|
Enables the timestamp in the log files. Prints one timestamp after the specified number of seconds. By default, prints the timestamp every 10 seconds. |
||||
|
Disables the timestamp in the log files every number of seconds. |
||||
|
Note - Applies only if you disabled the IKE daemon Logs failed IKE negotiations. You can specify the size of the |
||||
|
Note - Applies only if you disabled the IKE daemon Enables the IKE Monitor. Writes the IKE packets in the
|
||||
|
Note - Applies only if you disabled the IKE daemon Disables the IKE Monitor. |
||||
|
Writes the specified text string in the For example, run:
|
||||
|
This command:
|
Return Values
-
0 (zero) for success
-
any other value for failure (typically, -1 or 1)