Check if the VPN is passing traffic
show vpn flowSearch the VPN gateway status
show vpn ike-sa gateway <name of the vpn gateway>To get more information about a session flow, get the session ID from the output you received from the above command
show session id <numerical number of session>Check session status between source and destination
show session all filter source <IP of source> destination <IP of destination>To check IKE status, will list all the IKE session communicating on port 500
show session all filter destination destination-port 500Follow the handshake between both ends of the tunnel
less mp-log ikemgr.logTo clear stale IKE sessions
clear session all filter source <IP of source> destination <IP of destination> destination-port 500
In the GUI create packet capture filter with the firewall A as source and firewall B as destination. Then create another filter with firewall B as source and firewall A as destination. Turn on filtering and go back to CLI to get get global counters. This will inform us if there are any packet errors or dropping in the tunnel
show counter global filter delta yes packet-filter yes
show counter global filter severity drop aspect tunnel category flowForce VPN tunnel to initiate handshake
test vpn ike-sa gateway <name of the vpn gateway>
test vpn ipsec-sa tunnel <name of the vpn tunnel>Check status of the VPN tunnel
show vpn ike-sa gateway <name of the vpn gateway>
show vpn ipsec-sa tunnel <name of vpn tunnel>View logs on the different verbose levels
debug ike gateway <gateway name> on <error|warn|normal|debug|dump>
example: debug ike gateway testGW on debug
to turn off log verbose, run
debug ike gateway <gateway name> offfollow logs in realtime
tail follow yes mp-log ikemgr.log
Comments