Ted James
asked on
VPN troubleshooting
I'm troubleshooting a VPN connection using checkpoint. I keep getting dropped out from time to time. Here are the logs from the checkpoint firewall
Thanks
[28 Oct 7:13:54] IKE tunnel disconnected, error code=-1000. Reason: Site is not responding.
[28 Oct 7:13:54] Client state is connected
[28 Oct 7:13:54] Tunnel (2) disconnected. State is connected. Trying to reconnect.
[28 Oct 7:14:22] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:14:22] Client state is reconnecting
[28 Oct 7:14:22] Reconnect failed. trying again (2)
[28 Oct 7:15:20] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:15:20] Client state is reconnecting
[28 Oct 7:15:20] Reconnect failed. trying again (2)
[28 Oct 7:16:05] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:05] Client state is reconnecting
[28 Oct 7:16:05] Reconnect failed. trying again (2)
[28 Oct 7:16:23] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:23] Client state is reconnecting
[28 Oct 7:16:23] Reconnect failed. trying again (2)
[28 Oct 7:17:02] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:17:02] Client state is reconnecting
[28 Oct 7:17:02] Reconnect failed. trying again (2)Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Unfortunately there are several "other ends". This local Checkpoint FW is terminating about 18 VPNs. Eight of them are having this problem. I think it is my end, even though that error message says that the other end is not responding. That is throwing me off.
Eight of these VPNs are exhibiting this flapping while the other ten are solid. Thoughts?
Eight of these VPNs are exhibiting this flapping while the other ten are solid. Thoughts?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In each case they are able to stand up the VPN. But then they get dropped. Happens several times. Started happening last week.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All very good ideas. Some of which I will have to schedule "downtime" as the users are 24/7.
Couple other thoughts:
1. Could the firewall licenses (encryption licenses or Firewall license) be expiring? Causing the tunnels to go down for a couple minutes?
2. Though I haven't verified it, some claimed it happens at roughly the same time as each other, I haven't verified but maybe it reflects exceeding a certain limit? Or a throughput issue?.
3. Not a thought but another impediment to my troubleshooting... My access to my CP SmartConsole is now being rejected. When I first logged on yesterday (first time ever) I had to "verify" a fingerprint. Ignorantly I said "yes". Apparently I must have been wrong I guess because now I can't get authenticated to get back in. Is there something I am missing or more I need to do, or I am just fat-fingering it?
Couple other thoughts:
1. Could the firewall licenses (encryption licenses or Firewall license) be expiring? Causing the tunnels to go down for a couple minutes?
2. Though I haven't verified it, some claimed it happens at roughly the same time as each other, I haven't verified but maybe it reflects exceeding a certain limit? Or a throughput issue?.
3. Not a thought but another impediment to my troubleshooting... My access to my CP SmartConsole is now being rejected. When I first logged on yesterday (first time ever) I had to "verify" a fingerprint. Ignorantly I said "yes". Apparently I must have been wrong I guess because now I can't get authenticated to get back in. Is there something I am missing or more I need to do, or I am just fat-fingering it?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For the firewall firmware, yes?
It makes sense since the firewalls haven't been touched in over a year, and problems are only surfacing now.
It makes sense since the firewalls haven't been touched in over a year, and problems are only surfacing now.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can anyone point me to a good detailed troubleshooting guide of IPSEC that is not geared to a specific product. Cisco et al has VPN troubleshooting guides but it is geared towards specific commands and logs specific to the product. I'd like a generic troubleshooting list.
(Many of my endpoints (far end) are not Checkpoint, I don't even know for sure what endpoint they have)
thx
(Many of my endpoints (far end) are not Checkpoint, I don't even know for sure what endpoint they have)
thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Fixed my CP SmartConsole issues. Turns out my permissions were not upgraded.
So all good suggestions. Thank you!
In summary, some things to look at:
1. Firmware upgrade (at a later time during scheduled maintenance)
2. Check for inconsistent key lifetimes between both ends.
3. Look at logs at other end (both sides view). Going to be difficult because the other end person would probably not be technical enough and I don't own that termination point.
4. Reconstruct profiles. (John can you be more specific? Is this user profiles? tunnel endpoint profiles? What are we talking about? etc.)
Also, what about the possibility of the far end being on a wireless network?
Thanks in advance. We are meeting tomorrow to discuss our strategy.
So all good suggestions. Thank you!
In summary, some things to look at:
1. Firmware upgrade (at a later time during scheduled maintenance)
2. Check for inconsistent key lifetimes between both ends.
3. Look at logs at other end (both sides view). Going to be difficult because the other end person would probably not be technical enough and I don't own that termination point.
4. Reconstruct profiles. (John can you be more specific? Is this user profiles? tunnel endpoint profiles? What are we talking about? etc.)
Also, what about the possibility of the far end being on a wireless network?
Thanks in advance. We are meeting tomorrow to discuss our strategy.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good find, John, that Barracuda manual explains common log messages well enough for most devices.
ASKER
Thank you all. We are scheduling a firmware in the next couple weeks.
It's due for one anyway.
It's due for one anyway.
ASKER
Thank you all. Very helpful. I'm not very familiar with the scoring system so I hope I didn't slight anybody. I'll reach back when we complete the upgrade.
You are very welcome and I was happy to assist you.
ASKER