The document provides a template for troubleshooting site to site VPN issues. It includes steps to verify the firewall details and ISP gateway, check for secure internal communication and proper master file configuration, validate the routing and IPSEC VPN tunnel negotiation, review the Smartview status and logs, ensure proper DHCP settings, check for any license errors, confirm that policy push is working correctly, and test connectivity with traceroute and ping.
The document provides a template for troubleshooting site to site VPN issues. It includes steps to verify the firewall details and ISP gateway, check for secure internal communication and proper master file configuration, validate the routing and IPSEC VPN tunnel negotiation, review the Smartview status and logs, ensure proper DHCP settings, check for any license errors, confirm that policy push is working correctly, and test connectivity with traceroute and ping.
The document provides a template for troubleshooting site to site VPN issues. It includes steps to verify the firewall details and ISP gateway, check for secure internal communication and proper master file configuration, validate the routing and IPSEC VPN tunnel negotiation, review the Smartview status and logs, ensure proper DHCP settings, check for any license errors, confirm that policy push is working correctly, and test connectivity with traceroute and ping.
The document provides a template for troubleshooting site to site VPN issues. It includes steps to verify the firewall details and ISP gateway, check for secure internal communication and proper master file configuration, validate the routing and IPSEC VPN tunnel negotiation, review the Smartview status and logs, ensure proper DHCP settings, check for any license errors, confirm that policy push is working correctly, and test connectivity with traceroute and ping.
Download as DOC, PDF, TXT or read online from Scribd
Download as doc, pdf, or txt
You are on page 1/ 3
SITE TO SITE VPN TROUBLESHOOTING
TEMPLATE Firewall details Verification:
Firewall external IP x.x.x.x
Firewall internal IP x.x.x.x Firewall DHCP configured: Yes/No
ISP Gateway PING verification:
ISP gateway x.x.x.x is reachable /not reachable
Secure Internal Communication (SIC) Verification:
Secure Internal communication is checked and found working fine? (Remember if SIC is not working; please check the Master file in splat firewall module)
Master File verification:
Master file is verified in SPLAT module and found ok?
Smartdashbord log server setting also checked and found ok? (If any one of the place mismatch found please correct the same. Remember log server setting in smart dashboard need to be set as "locally defined" otherwise it override the master file updates in splat firewall)
Routing Verification:
Verified the route in management router, R5, R6 of respective zone routers and cluster 3/5, 4 of respective zone firewalls, found to be ok ?
IPSEC VPN Tunnel negotiation verification:
Found udp 500 messages are being negotiated between the two vpn peers. (If not please run TCPDUMP log tool in both end gateways and provide the result)
Tcpdump -i eth0 host < remote VPN gateway IP address>
Smartview status/ Smartview monitor:
In smartview status, firewall is showing disconnected/error state/up and able/not able to see the encrypted/decrypted traffic No of tunnels formed --- (you can check in smartview status)
DHCP setting verification:
DHCP settings are verified in splat module and the required DHCP rules are allowed in smartdashboard respective policy package.(be informed that sometimes firewall may not be a DHCP server and market will have its own DHCP server) Smart view tracker log verification:
In smartview monitor logs are populating from the respective market subnet x.x.x.x and the tunnel negotiation is happening.(if not please check the master file again)
License update:
No license error observed in smartview tracker log. (Be informed sometime license file may have an issue, in that situation please detach and attach the license again. You can do the same from smartupdate. If license error found please inform the respective Zone lead and Nestle SME)
Policy Push:
Policy push is working fine for the splat firewall ------
Traffic checking:
Traceroute is given from <location name > to the Internal subnet ip < > and find the results below
------ ------ Ping is given from <location name > to the Internal subnet ip < > and find the results below ---- ----
