Difference between revisions of "VPN Bug Report Unix"
| (4 intermediate revisions by the same user not shown) | |||
| Line 20: | Line 20: | ||
After posting your initial problem report to the vpn-help mailing list, we may request that you provide additional information. The Shrew Soft VPN Client has several options that can be enabled which produce valuable debug output. This information is often essential to help isolate and resolve a reported problem. To gather this information, perform the following steps. | After posting your initial problem report to the vpn-help mailing list, we may request that you provide additional information. The Shrew Soft VPN Client has several options that can be enabled which produce valuable debug output. This information is often essential to help isolate and resolve a reported problem. To gather this information, perform the following steps. | ||
| − | + | ==== Enable IKE Daemon Debug Output ==== | |
To enable the IKE daemon debug output, open your iked.conf file with a text editor. Modify the daemon section of the file by seting the log_level option to debug and specifying a custom log output file path. Also specify a path for the pcap_decrypt option ( if requested ). | To enable the IKE daemon debug output, open your iked.conf file with a text editor. Modify the daemon section of the file by seting the log_level option to debug and specifying a custom log output file path. Also specify a path for the pcap_decrypt option ( if requested ). | ||
| − | + | daemon | |
| − | daemon | + | { |
| − | { | + | socket ike 500; |
| − | + | socket natt 4500; | |
| − | + | ||
| − | + | log_level debug; | |
| − | + | log_file "/var/log/iked.log"; | |
| − | + | ||
| − | + | pcap_decrypt "/var/log/dump-ike-decrypt.cap"; | |
| − | + | } | |
| − | |||
| − | |||
Restart the IKE daemon. If your platform provides a Linux init script or BSD rc script, use it to restart the daemon. | Restart the IKE daemon. If your platform provides a Linux init script or BSD rc script, use it to restart the daemon. | ||
| − | + | # /etc/init.d/iked restart | |
| − | # /etc/init.d/iked restart | ||
| − | |||
To manually restart the service, first locate the iked process id and use the kill utility to stop the daemon. Afterwords you can restart the daemon. You will need root equivalent privileges to perform these steps. | To manually restart the service, first locate the iked process id and use the kill utility to stop the daemon. Afterwords you can restart the daemon. You will need root equivalent privileges to perform these steps. | ||
| − | + | # ps aux | grep iked | |
| − | # ps aux | grep iked | + | root 54252 0.0 1.1 4536 2896 ?? Ss 7:53PM 0:00.01 iked |
| − | root 54252 0.0 1.1 4536 2896 ?? Ss 7:53PM 0:00.01 iked | + | # kill 54252 |
| − | # kill 54252 | + | # iked |
| − | # iked | ||
| − | |||
| − | + | ==== Reproduce Your Problem ==== | |
While reproducing your problem, the VPN Client will capture debug output to be submitted with your bug report. | While reproducing your problem, the VPN Client will capture debug output to be submitted with your bug report. | ||
| − | + | ==== Copy IKE Daemon Debug Output Files ==== | |
To make a copy of the IKE daemon debug output, perform the following steps. | To make a copy of the IKE daemon debug output, perform the following steps. | ||
| − | + | * Make sure the IKE daemon is not running | |
| − | + | * Copy the following files to a temporary directory | |
| − | + | ** /var/log/iked.log | |
| − | + | ** /var/log/dump-ike-decrypt.cap | |
For example: | For example: | ||
| − | + | mkdir ~/ikedebug | |
| − | mkdir ~/ikedebug | + | cp /var/log/iked.log ~/ikedebug/ |
| − | cp /var/log/iked.log ~/ikedebug/ | + | cp /var/log/dump-ike-decrypt.cap ~/ikedebug/ |
| − | cp /var/log/dump-ike-decrypt.cap ~/ikedebug/ | ||
| − | |||
| − | + | ==== Disable IKE Daemon Debug Output ==== | |
To disable the IKE daemon debug output, open your iked.conf file with a text editor. Modify the daemon section of the file by seting the log_level option to none. Also remove or comment out the pcap_decrypt option. Afterwards you can restart the daemon. | To disable the IKE daemon debug output, open your iked.conf file with a text editor. Modify the daemon section of the file by seting the log_level option to none. Also remove or comment out the pcap_decrypt option. Afterwards you can restart the daemon. | ||
| − | + | ==== Archive the Debug Output ==== | |
Use the tar utility to store the debug output files in a compressed archive. | Use the tar utility to store the debug output files in a compressed archive. | ||
| Line 83: | Line 75: | ||
For example: | For example: | ||
| − | + | cd ~ | |
| − | cd ~ | + | tar zcvf ikedebug.tgz ikedebug |
| − | tar zcvf ikedebug.tgz ikedebug | ||
| − | |||
If you plan to post debug output to the vpn-help mailing list, please be sure to remove sensitive information from log files such as your gateway IP address. Alternately, you can send your archive attachment directly to your Shrew Soft contact in a separate email. | If you plan to post debug output to the vpn-help mailing list, please be sure to remove sensitive information from log files such as your gateway IP address. Alternately, you can send your archive attachment directly to your Shrew Soft contact in a separate email. | ||
| Line 94: | Line 84: | ||
== Example Bug Report == | == Example Bug Report == | ||
| − | + | Problem: | |
| − | Problem: | + | |
| − | + | The VPN client fails to connect to my gateway when I have firmware | |
| − | The VPN client fails to connect to my gateway when I have firmware | + | version 3.7 installed. After clicking connect, the client reports |
| − | version 3.7 installed. After clicking connect, the client reports | + | it has received an invalid message from the gateway. Downgrading |
| − | it has received an invalid message from the gateway. Downgrading | + | my gateway firmware to version 3.6 allows me to connect again. |
| − | my gateway firmware to version 3.6 allows me to connect again. | + | |
| − | + | To Reproduce: | |
| − | To Reproduce: | + | |
| − | + | Connect to any SuperEX 1510 VPN Gateway using firmware revision 3.7. | |
| − | Connect to any SuperEX 1510 VPN Gateway using firmware revision 3.7. | + | |
| − | + | VPN Client Version = 2.1.0 RC1 | |
| − | VPN Client Version = 2.1.0 RC1 | + | Unix OS Version = FreeBSD 6.3-RELEASE |
| − | Unix OS Version = FreeBSD 6.3-RELEASE | + | Gateway Make/Model = SuperEX 1510 |
| − | Gateway Make/Model = SuperEX 1510 | + | Gateway OS Version = 3.7 |
| − | Gateway OS Version = 3.7 | + | |
| − | + | ikedebug.tgz [attachment] | |
| − | ikedebug.tgz [attachment] | + | \ikedebug\iked.log |
| − | \ikedebug\iked.log | + | ikedebug\dump-ike-decrypt.cap ( if requested ) |
| − | |||
| − | |||
Latest revision as of 18:40, 3 September 2012
Contents
Introduction
This guide describes what information should be included when submitting a VPN Client for Linux/BSD bug report to the vpn-help mailing list. Please read this information carefully as the likelihood of getting a problem corrected is usually directly related to the quality of the bug report being submitted.
Describe Your Problem Clearly
Please describe the problem symptoms and the circumstance under which the problem occurs. It is also very important to note how the problem can be re-produced.
Include Your Client and Gateway Information
Please include your client and gateway information with each new problem report. The following information should be stated.
- VPN Client Version
- Linux or BSD OS Version
- Gateway Make/Model
- Gateway OS Version ( if known )
Include Debug Output if Requested
After posting your initial problem report to the vpn-help mailing list, we may request that you provide additional information. The Shrew Soft VPN Client has several options that can be enabled which produce valuable debug output. This information is often essential to help isolate and resolve a reported problem. To gather this information, perform the following steps.
Enable IKE Daemon Debug Output
To enable the IKE daemon debug output, open your iked.conf file with a text editor. Modify the daemon section of the file by seting the log_level option to debug and specifying a custom log output file path. Also specify a path for the pcap_decrypt option ( if requested ).
daemon
{
socket ike 500;
socket natt 4500;
log_level debug;
log_file "/var/log/iked.log";
pcap_decrypt "/var/log/dump-ike-decrypt.cap";
}
Restart the IKE daemon. If your platform provides a Linux init script or BSD rc script, use it to restart the daemon.
# /etc/init.d/iked restart
To manually restart the service, first locate the iked process id and use the kill utility to stop the daemon. Afterwords you can restart the daemon. You will need root equivalent privileges to perform these steps.
# ps aux | grep iked root 54252 0.0 1.1 4536 2896 ?? Ss 7:53PM 0:00.01 iked # kill 54252 # iked
Reproduce Your Problem
While reproducing your problem, the VPN Client will capture debug output to be submitted with your bug report.
Copy IKE Daemon Debug Output Files
To make a copy of the IKE daemon debug output, perform the following steps.
- Make sure the IKE daemon is not running
- Copy the following files to a temporary directory
- /var/log/iked.log
- /var/log/dump-ike-decrypt.cap
For example:
mkdir ~/ikedebug cp /var/log/iked.log ~/ikedebug/ cp /var/log/dump-ike-decrypt.cap ~/ikedebug/
Disable IKE Daemon Debug Output
To disable the IKE daemon debug output, open your iked.conf file with a text editor. Modify the daemon section of the file by seting the log_level option to none. Also remove or comment out the pcap_decrypt option. Afterwards you can restart the daemon.
Archive the Debug Output
Use the tar utility to store the debug output files in a compressed archive.
For example:
cd ~ tar zcvf ikedebug.tgz ikedebug
If you plan to post debug output to the vpn-help mailing list, please be sure to remove sensitive information from log files such as your gateway IP address. Alternately, you can send your archive attachment directly to your Shrew Soft contact in a separate email.
NOTE: Never post decrypted binary packet dump information to the mailing list. Also, never post log output using a level higher than debug. This output may include information that could be used to compromise the security of your gateway.
Example Bug Report
Problem: The VPN client fails to connect to my gateway when I have firmware version 3.7 installed. After clicking connect, the client reports it has received an invalid message from the gateway. Downgrading my gateway firmware to version 3.6 allows me to connect again. To Reproduce: Connect to any SuperEX 1510 VPN Gateway using firmware revision 3.7. VPN Client Version = 2.1.0 RC1 Unix OS Version = FreeBSD 6.3-RELEASE Gateway Make/Model = SuperEX 1510 Gateway OS Version = 3.7 ikedebug.tgz [attachment] \ikedebug\iked.log ikedebug\dump-ike-decrypt.cap ( if requested )