===== Troubleshooting Mobile Access =====

----
sk99053
[[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk99053|CheckPoint Support Center]]
----

==== Introduction ====

This article provides the necessary steps for debugging Mobile Access Web Applications.

 
==== Relevant debugs ====

  * Traffic capture of HTTP traffic from the browser on client machine (using Fiddler web debugger).
  * Debug of Mobile Access Web Server on Mobile Access Gateway (debug of HTTPD daemon).
  * Debug of Mobile Access sessions (debug of CVPND daemon).
  * Traffic capture (Trace Logs) of HTTP traffic between the Mobile Access Gateway and the internal web server published with the Mobile Access blade.
  * Traffic capture between the Mobile Access Gateway and the internal web server.

==== Debug procedure ====

Client machine:
    -  Install [[http://www.telerik.com/download/fiddler|Fiddler web debugger]] on the Client machine.
    -  Empty the browser cache before starting the debug.
    -  Configure Fiddler to Decrypt HTTPS Traffic [[http://docs.telerik.com/fiddler/configure-fiddler/tasks/DecryptHTTPS|as described here]].
    -  Enable the relevant debugs on the Mobile Access Gateway (see **Step II** below).
    -  Replicate the issue while connecting to the internal network **through** Mobile Access Gateway.
    -  Stop all debugs - both on Client machine and on Mobile Access Gateway (see **Step II** below).
    -  Configure Fiddler to Decrypt HTTPS Traffic [[http://docs.telerik.com/fiddler/configure-fiddler/tasks/DecryptHTTPS|as described here]].
    -  Replicate the issue while connecting to the internal network **without** Mobile Access Gateway.
    -  Stop the debugs on Client machine.
    -  Send the Fiddler output files (from **both** replications) to [[http://www.checkpoint.com/services/contact/index.html|Check Point Support]] for analysis.

Mobile Access Gateway
    -  Connect to command line on Mobile Access Gateway.
    -  Log in to Expert mode.
    -  Backup the current ''$CVPNDIR/conf/httpd.conf'' file:<code>[Expert@HostName]# cp  $CVPNDIR/conf/httpd.conf  $CVPNDIR/conf/httpd.conf_ORIGINAL</code>
    -  Edit the current ''$CVPNDIR/conf/httpd.conf'' file:<code>[Expert@HostName]# vi  $CVPNDIR/conf/httpd.conf</code>
    -  To enable debug of the Mobile Access Web Server on Mobile Access Gateway (debug of HTTPD daemon) - change the following in the code>$CVPNDIR/conf/httpd.conf file: Change the first line from: <code>LogLevel emerg</code> to: <code> LogLevel debug </code>
    -  To enable traffic capture (Trace Logs) of the HTTP traffic between the Mobile Access Gateway and the internal web server published with the Mobile Access blade - change the following in the ''$CVPNDIR/conf/httpd.conf'' file: In **R66 / R66.1:** Uncomment these lines (remove the # in the beginning)<code>LoadModule trace_logger /opt/CPcvpn-R66/lib/libModTrace.so 
CvpnTraceLogDir /opt/CPcvpn-R66/log/trace_log/ 
CvpnTraceLogMaxByte 10000000 </code> In **R71.X / R75 / R75.10 / R75.20 / R75.30**: Uncomment this line (remove the # in the beginning) <code> LoadModule trace_logger /opt/CPcvpn-R7X/lib/libModTrace.so </code> In **R75.40 / R75.40VS / R75.45 / R75.46 / R75.47**: Nothing else needs to be changed. In **R76 / R77 / R77.10** and above: Change this line from: <code> CvpnTraceApache Off </code> to: <code> CvpnTraceApache On </code>
    -  Save the file and exit from Vi editor. 
    -  Reload the Mobile Access with the new settings: <code>[Expert@HostName]# cvpnd_admin policy </code> **Note:** This will gracefully restart the HTTPD daemon without disconnecting existing sessions.
    -  Check the ''$CVPNDIR/log/httpd.log'' file: <code> [Expert@HostName]# tail -f $CVPNDIR/log/httpd.log </code> If debug outputs are not printed, then restart the Mobile Access: <code> [Expert@HostName]# cvpnrestart </code> **Note:** This will restart both CVPND daemon and HTTPD daemon - all existing connections will be disconnected!
    -  In R75.40 and above, Trace Logs have to be enabled per users, with the usernames that logged into the Mobile Access Portal: <code> [Expert@HostName]# cvpnd_admin debug trace users=UserName_1,UserName_2,UserName_3,... </code> 
    -  Start the debug of CVPND daemon: <code> [Expert@HostName]# cvpnd_admin debug set TDERROR_ALL_ALL=5 </code>
    -  Start traffic capture on the Mobile Access Gateway: <code> [Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_monitor.cap </code>
    -  Enable the relevant Fiddler debugs on the Client machine (see Step I above).
    -  Replicate the issue.
    -  Stop the Fiddler debugs on the Client machine.
    -  Stop traffic capture on the Mobile Access Gateway: Press CTRL+C
    -  Stop the debug of CVPND daemon: <code> [Expert@HostName]# cvpnd_admin debug off </code>
    -  Restore the original ''$CVPNDIR/conf/httpd.conf'' file: <code> [Expert@HostName]# cp  $CVPNDIR/conf/httpd.conf  $CVPNDIR/conf/httpd.conf_DEBUG
[Expert@HostName]# cp  $CVPNDIR/conf/httpd.conf_ORIGINAL  $CVPNDIR/conf/httpd.conf
</conde>
    -  Reload the Mobile Access with the original settings: <code> [Expert@HostName]# cvpnd_admin policy </code> **Note:** This will gracefully restart the HTTPD daemon without disconnecting existing sessions.
    -  Check the ''$CVPNDIR/log/httpd.log'' file: <code> [Expert@HostName]# tail -f $CVPNDIR/log/httpd.log </code> If debugs output are still being printed, then restart the Mobile Access: <code> [Expert@HostName]# cvpnrestart </code> **Note:** This will restart both CVPND daemon and HTTPD daemon - all existing connections will be disconnected!
    -  Send the following files from Mobile Access Gateway to Check Point Support for analysis: <code>/var/log/fw_monitor.cap
$CVPNDIR/log/httpd.log*
$CVPNDIR/log/cvpnd.elg*
The entire directory $CVPNDIR/log/trace_log/
CPinfo file from Mobile Access Gateway (use the latest version of CPinfo utility from sk92739).
In addition, CPinfo file from the involved Security Management Server / Domain Management Server.
</code>

    - test
    - test2
    -