You are on page 1of 3

SITE TO SITE VPN TROUBLESHOOTING

TEMPLATE
Firewall details Verification:

Firewall external IP x.x.x.x


Firewall internal IP x.x.x.x
Firewall DHCP configured: Yes/No

ISP Gateway PING verification:

ISP gateway x.x.x.x is reachable /not reachable

Secure Internal Communication (SIC) Verification:

Secure Internal communication is checked and found working fine? (Remember if SIC is not
working; please check the Master file in splat firewall module)

Master File verification:

Master file is verified in SPLAT module and found ok?


Smartdashbord log server setting also checked and found ok? (If any one of the place mismatch
found please correct the same. Remember log server setting in smart dashboard need to be set
as "locally defined" otherwise it override the master file updates in splat firewall)

Routing Verification:

Verified the route in management router, R5, R6 of respective zone routers and cluster 3/5, 4 of
respective zone firewalls, found to be ok ?

IPSEC VPN Tunnel negotiation verification:

Found udp 500 messages are being negotiated between the two vpn peers. (If not please run
TCPDUMP log tool in both end gateways and provide the result)

Fw monitor -e "accept src = < remote VPN gateway IP address> ;"

OR

Tcpdump -i eth0 host < remote VPN gateway IP address>

Smartview status/ Smartview monitor:

In smartview status, firewall is showing disconnected/error state/up and able/not able to see the
encrypted/decrypted traffic
No of tunnels formed --- (you can check in smartview status)

DHCP setting verification:

DHCP settings are verified in splat module and the required DHCP rules are allowed in
smartdashboard respective policy package.(be informed that sometimes firewall may not be a
DHCP server and market will have its own DHCP server)
Smart view tracker log verification:

In smartview monitor logs are populating from the respective market subnet x.x.x.x and the tunnel
negotiation is happening.(if not please check the master file again)

License update:

No license error observed in smartview tracker log. (Be informed sometime license file may have
an issue, in that situation please detach and attach the license again. You can do the same from
smartupdate. If license error found please inform the respective Zone lead and Nestle SME)

Policy Push:

Policy push is working fine for the splat firewall ------

Traffic checking:

Traceroute is given from <location name > to the Internal subnet ip < > and find the results below

------
------
Ping is given from <location name > to the Internal subnet ip < > and find the results below
----
----

You might also like