PIM v2 State refresh

State refresh is used in PIM Dense mode.

By default cisco router will process state-refresh message and forward it. It won't originate the state-refresh message by default.

To enable originate state-refresh message, you need to enable it in the interface on the router that directly connect to the source. This way the router knows when the mroute will be timeout and stop generate the state-refresh message.

interface ser 1/0.25
ip pim state-refresh originate-interval [sec]

How to generate a valid ike debug, vpn debug and fw monitor

Solution

It is very helpful to gather the IKE information in both directions by having both endpoints initiate communications at different times so you can see what each machine proposes to the other and then reconcile the differences. Generate debugs for ike and vpnd on both endpoints. These debugs are valid for VPN connections between SecureClient and Security Gateways, as well as for site to site VPN connections. Follow the steps below to generate debug information: Note: For SecurePlatform you must be logged in as Expert. Initiate vpn debug on both Security Gateways from the CLI: # vpn debug trunc Notes: # vpn debug trunc initiates both vpn debug and ike debug. # vpn debug on only initiates vpn debug. If you need the level of detail provided by TDERROR_ALL_ALL=5, then you need to run: vpn debug on TDERROR_ALL_ALL=5. Initiate packet capture on both Security Gateways (or tcpdump, or Wireshark pcap): Note: You can press "Alt + F1" to open a second terminal, or open a second ssh session, or (for Windows) open a second command prompt. # fw monitor -e "accept;" -o monitor.out or fw monitor -e "accept sport=500 or dport=500;" -o monitor.out Note: Since VPN-1 Pro NGX R60, you can also run # fw monitor -e "accept port(500) or port(4500);" -o monitor.out or # vpn debug mon If you run # vpn debug mon, the output file is ikemonitor.snoop. In this output file, all the IKE payloads are in clear. Whereas, in monitor.out, all the IKE payloads are encrypted. Run vpn tu. Note: Before running vpn tu, kill all traffic over the VPN. Then select the option that reads "Delete all IPsec+IKE SAs for a given peer (GW)". Enter your remote Security Gateway IP address. Exit the utility. Important This procedure closes open VPN tunnels. It may be useful, in that, the next time communication is attempted, you will capture the VPN tunnel creation information. Please be aware that existing VPN tunnels with this remote peer will be closed and will have to be reestablished. This is especially important in a Production environment. Reproduce the issue, attempt to connect FROM YOUR NETWORK to a device in the remote encryption domain. This initiates the tunnel. Run vpn tu. Note: Before running vpn tu, kill all traffic over the VPN. Then select the option that reads "Delete all IPsec+IKE SAs for a given peer (GW)". Enter your remote Security Gateway IP address. Exit the utility. Reproduce the issue, attempt to connect FROM THE REMOTE NETWORK to a device in the local encryption domain. This initiates the tunnel. Stop vpn debug on both Security Gateways: # vpn debug off # vpn debug ikeoff Notes: If you used vpn debug on TDERROR_ALL_ALL=5, you only have to run # vpn debug off. If you run # vpn debug mon, you need to run # vpn debug moff. Stop packet capture by pressing "CTRL+C". Please send the following files from the Security Gateways to Check Point Support: $FWDIR/log/ike.elg $FWDIR/log/vpnd.elg monitor.out ikemonitor.snoop.

Reseting IKE/IPSec SA in Checkpoint

In VPN-1 NG all IKE/IPSec SAs are saved in the kernal. Therefore, deleting the appropriate kernal table is sufficent.

1. To delete IKE SAs, delete the IKE_SA_table;
2. To delete IPSec SAs, delete the inbound_SPI and the outbound_SPI table.

Notes: All three tables are 'keep' and, therefore, will not be deleted upon policy installation.

To delete a table,

1. Run the command fw -t table_name -x
2. Type 'yes' in the confirmation prompt.