Scribd Logo
Upload

Welcome to Scribd!

  • VPN Troubleshooting Guide

    Uploaded by

    Калоян Петров
    7 views4 pages

    Original Title

    VPN troubleshooting Guide

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    7 views4 pages

    VPN Troubleshooting Guide

    Uploaded by

    Калоян Петров

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 4

    VPN troubleshooting Guide

    1. Performing a capture on a reachable gateway.

     Set up filters for local and remote gateways. (try to isolate


    undesired traffic as much as possible)

    Usually the following output will appear, if the remote gateway is


    not responding:
    11:03:43.013007 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 I ident

    11:03:45.013529 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 I ident

    11:03:47.013753 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 I ident

    Also You should be able to see UPD packets which servers for testing the tunnel status.

    Bellow you can find one.

    Captured log from CLM


    If the remote security gateway is reachable, but it doesn’t want to
    respond on port 500 the following reply is observed.

    11:21:01.179409 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 I ident

    11:21:01.179462 eth0[in ]: 192.168.1.248 > 192.168.1.249: ICMP 192.168.1.248 udp port 500 unreach
    able, length 188

    In this case 192.168.1.249 is our local gateway. Here we can see


    our requests going out of the security gateway.

    2. Make sure that the remote gateway is up and running.

    3. Check the VPN logs in SmartViewTracker

    Here is the example of how VPN is changing state to up:

    11:29:20.403763 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 1 I ident

    11:29:20.406588 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 R ident

    11:29:20.408509 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 1 I ident

    11:29:20.409448 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 R ident

    11:29:20.411796 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 1 I ident[E]

    11:29:20.415650 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 R ident[E]

    11:29:20.416788 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 2/others I oakley-quick[E]

    11:29:20.418831 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 2/others R oakley-quick[E]

    11:29:20.421300 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 2/others I oakley-quick[E]

    11:29:20.422111 eth0[out]: 192.168.1.249.52228 > 192.168.1.248.18234: UDP, length 12

    11:29:20.422219 eth0[out]: 192.168.1.249.54071 > 192.168.1.248.18234: UDP, length 12


    11:29:20.422261 eth0[out]: 192.168.1.249.33235 > 192.168.1.248.18234: UDP, length 12

    11:29:20.522360 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 2/others I oakley-quick[E]

    11:29:20.622924 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 2/others I oakley-quick[E]

    11:29:20.722992 eth0[in ]: 192.168.1.248 > 192.168.1.249: ESP(spi=0xf251808d,seq=0x1), length 84

    11:29:20.724038 eth0[in ]: 192.168.1.248 > 192.168.1.249: ESP(spi=0xf251808d,seq=0x2), length 84

    11:29:20.724220 eth0[out]: 192.168.1.249 > 192.168.1.248: ICMP 192.168.1.249 udp port 52228 unreachable, length 48

    11:29:20.724408 eth0[in ]: 192.168.1.248 > 192.168.1.249: ESP(spi=0xf251808d,seq=0x3), length 84

    11:29:20.724549 eth0[out]: 192.168.1.249 > 192.168.1.248: ICMP 192.168.1.249 udp port 54071 unreachable, length 48

    11:29:20.724654 eth0[in ]: 192.168.1.248 > 192.168.1.249: ESP(spi=0xf251808d,seq=0x4), length 84

    11:29:20.726454 eth0[out]: 192.168.1.249.18234 > 192.168.1.248.64112: UDP, length 12

    11:29:21.234068 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 I ident

    11:29:21.237625 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 1 R ident

    11:29:21.239721 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 I ident

    11:29:21.242155 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 1 R ident

    11:29:21.247058 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 1 I ident[E]

    11:29:21.254904 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 1 R ident[E]

    11:29:21.260119 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 2/others I oakley-quick[E]

    11:29:21.262963 eth0[in ]: 192.168.1.248.500 > 192.168.1.249.500: isakmp: phase 2/others R oakley-quick[E]

    11:29:21.264160 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 2/others I oakley-quick[E]

    11:29:21.365049 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 2/others I oakley-quick[E]

    11:29:21.466266 eth0[out]: 192.168.1.249.500 > 192.168.1.248.500: isakmp: phase 2/others I oakley-quick[E]

    You might also like