In this example we will run through various steps to troubleshoot a Site 2 Site

VPN.
Confirm General Details
This will give us a general overview of our vpn.
netscreen(M)-> get vpn
Name Gateway Mode RPlay 1st Proposal Monitor Use
Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ----
--- ----------
sitea_vpn sitea tunl Yes g2-esp-3des-sha off 0 eth5
siteb_vpn siteb tunl Yes g2-esp-3des-sha off 2 eth5
sitec_vpn sitec tunl Yes g2-esp-3des-sha off 0 eth5
sited_vpn sited tunl Yes g2-esp-3des-sha off 0 eth5
Confirm Phase 1
To confirm whether IKE has been successful you can run the following command. Yo
u may find though that there is no IKE cookie but there is a Phase 2 Security As
sicoation. This is due to the Phase 1 IKE lifetime being set to a value less the
n the IKE Phase 2 lifetime. You can find additional details here.
netscreen(M)-> get ike cookie | i [remote peer ip]
80522f/0003, [local peer]:500->[remote peer]:500, PRESHR/grp2/AES256/SHA, xc
hg(5) (Example/grp-1/usr-1)
Confirm Phase 2
From the get sa command you can see the status and various details of the Securi
ty Assiociations. The section below which is highlighted in bold shows the statu
s of the vpn tunnel (left) and the status of the VPN monitor (right). In this ca
se the VPN tunnel is active and the VPN monitor is dashed out as it isnt enabled
.
netscreen(M)-> get sa | i [peer ip]
00000007< [peer ip] 500 esp:3des/md5 zbcA14zz 3317 unlim A/- 22
0
00000007> [peer ip] 500 esp:3des/md5 fbcb64ee 3317 unlim A/- -1
0
Using the SA ID we can confirm additional details of the Phase 2 SA.
netscreen(M)-> get sa id 0x00000007
index 49, name Example, peer gateway ip [remote peer]. vsys<Root>
auto key. policy node, tunnel mode, policy id in:<10104> out:<10103> vpngrp:
<-1>. sa_list_nxt:<-1>.
tunnel id 662, peer id 52, NSRP Active. Vsd 0 site-to-site. Local interfac
e is ethernet5
<[local peer]>.
esp, group 0, a256 encryption, sha1 authentication
autokey, IN active, OUT active
monitor<0>, latency: 0, availability: 0
DF bit: clear
app_sa_flags: 0x2067
proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0
ike activity timestamp: 590051543
nat-traversal map not available
incoming: SPI 9j32882e, flag 00004000, tunnel info 40000296, pipeline
life 86400 sec, 19761 remain, 0 kb, 0 bytes remain
anti-replay on, last 0xb6840, window 0xffffffff, idle timeout value <0>, i
dled 0 seconds
next pak sequence number: 0x0
outgoing: SPI 7bz2a942, flag 00000000, tunnel info 40000296, pipeline
life 86400 sec, 19761 remain, 0 kb, 0 bytes remain
anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 0 seco
nds
next pak sequence number: 0x89j9c
Running a Debug
Here we will run a debug so we can obtain a more verbose view of what is happeni
ng to our traffic.
netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint]
netscreen(M)-> undebug all
netscreen(M)-> clear db
netscreen(M)-> debug ike basic
netscreen(M)-> debug flow basic
netscreen(M)-> get db str
!
!
Permitted by policy 109
No src xlate choose interface ethernet5 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet5
vsd 0 is active
no loop on ifp ethernet5.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet2>, out <ethernet5>
existing vector list 25-6870620.
Session (id:127345) created for first pak 25
flow_first_install_session======>
cache mac in the session
make_nsp_ready_no_resolve()
search route to (ethernet5, [remote endpoint]->[local endpoint]) in vr tru
st-vr for vsd-0/flag-3000/ifp-ethernet2
[Dest] 10.route [local endpoint]->[next hop], to ethernet2
route to [next hop]
nsrp msg sent.
flow got session.
flow session id 127345
vsd 0 is active
skipping pre-frag
going into tunnel 40000266.
flow_encrypt: pipeline.
chip info: DMA. Tunnel id 00000266
(vn2) doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
put packet(557a0f0) into flush queue.
remove packet(557a0f0) out from flush queue.
If the tunnel does not come up you can use the following debug:
netscreen(M)-> ike detail set sa-filter [IP]
Event Logs
In addition to check the Logs that the traffic is being passed you can check for
Phase 1 and Phase 2 errors from the devices event logs.
netscreen(M)-> get event include [peer ip]
Rekey the VPN
For steps on how to rekey a VPN click here.