General Troubleshooting Steps

If you suspect that there is a problem with your VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. configuration, there are several diagnostic procedures that you can follow to determine the source.

These procedures utilize various commands documented in the Command Line Reference.

  1. Perform a basic configuration check for each VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or VSX Cluster MemberClosed Security Gateway that is part of a cluster. by running the "vsx stat -v" command. The output will allow you to:

    1. Account for all Virtual Systems and make sure that none are missing from the configuration.

    2. Make sure all Virtual Devices are Active

    3. Make sure the correct Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. is installed for each Virtual SystemClosed Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS.

    4. Make sure the SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust is established with the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.

  2. Run the "cplic print" command on each VSX Gateway, VSX ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member and Management Server to make sure the appropriate licenses are installed.

  3. Run the cphaprob stat command on each VSX Cluster Member to verify its status. If a member is listed with a status other than Active, Standby, or Backup, refer to the "Troubleshooting" chapter in the R81 ClusterXL Administration Guide for additional troubleshooting assistance.

  4. If you suspect that a Virtual System is experiencing connectivity problems, perform the following steps:

    1. Run the "vsenv <VSID>" command to set the context to the appropriate Virtual System.

    2. Run the "fw getifs" command to display the interface list for the Virtual System.

    3. Examine connectivity status using standard operating system commands and tools such as: ping, traceroute, tcpdump, ip route, ftp, and so on. Some of these run according to context (i.e. routing, source and destination IP addresses). .

    You can also execute the "ip route" and "ip link" commands.

    If these tests indicate that all interfaces and routers have connectivity, and appear to be functioning correctly, you should monitor the passage of packets through the system.

  5. Execute the "fw monitor -v <VSID>" commands to capture details of packets at multiple points. This may return multiple reports on the same packet as it passes various capture points. This command does not report on Virtual Routers, except for packets destined to an external Virtual RouterClosed Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR..

  6. Execute the "tcpdump" command to display transmitted or received packets for specific interfaces, including Warp interfaces. This often provides valuable clues for resolving connectivity issues.