MyWiki

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Sie befinden sich hier: start » checkpoint » gateway » mobileaccessstroubleshooting

Seitenleiste

Themen dieses Wiki

Edit
Hilfe

checkpoint:gateway:mobileaccessstroubleshooting

Inhaltsverzeichnis

Troubleshooting Mobile Access

sk99053 CheckPoint Support Center

Introduction

This article provides the necessary steps for debugging Mobile Access Web Applications.

Relevant debugs

  • Traffic capture of HTTP traffic from the browser on client machine (using Fiddler web debugger).
  • Debug of Mobile Access Web Server on Mobile Access Gateway (debug of HTTPD daemon).
  • Debug of Mobile Access sessions (debug of CVPND daemon).
  • Traffic capture (Trace Logs) of HTTP traffic between the Mobile Access Gateway and the internal web server published with the Mobile Access blade.
  • Traffic capture between the Mobile Access Gateway and the internal web server.

Debug procedure

Client machine:

  1. Install Fiddler web debugger on the Client machine.
  2. Empty the browser cache before starting the debug.
  3. Configure Fiddler to Decrypt HTTPS Traffic as described here.
  4. Enable the relevant debugs on the Mobile Access Gateway (see Step II below).
  5. Replicate the issue while connecting to the internal network through Mobile Access Gateway.
  6. Stop all debugs - both on Client machine and on Mobile Access Gateway (see Step II below).
  7. Configure Fiddler to Decrypt HTTPS Traffic as described here.
  8. Replicate the issue while connecting to the internal network without Mobile Access Gateway.
  9. Stop the debugs on Client machine.
  10. Send the Fiddler output files (from both replications) to Check Point Support for analysis.

Mobile Access Gateway

  1. Connect to command line on Mobile Access Gateway.
  2. Log in to Expert mode.
  3. Backup the current $CVPNDIR/conf/httpd.conf file:
    [Expert@HostName]# cp  $CVPNDIR/conf/httpd.conf  $CVPNDIR/conf/httpd.conf_ORIGINAL
  4. Edit the current $CVPNDIR/conf/httpd.conf file:
    [Expert@HostName]# vi  $CVPNDIR/conf/httpd.conf
  5. To enable debug of the Mobile Access Web Server on Mobile Access Gateway (debug of HTTPD daemon) - change the following in the code>$CVPNDIR/conf/httpd.conf file: Change the first line from: 
    LogLevel emerg

    to: 

     LogLevel debug
  6. To enable traffic capture (Trace Logs) of the HTTP traffic between the Mobile Access Gateway and the internal web server published with the Mobile Access blade - change the following in the $CVPNDIR/conf/httpd.conf file: In R66 / R66.1: Uncomment these lines (remove the # in the beginning)
    LoadModule trace_logger /opt/CPcvpn-R66/lib/libModTrace.so 
CvpnTraceLogDir /opt/CPcvpn-R66/log/trace_log/ 
CvpnTraceLogMaxByte 10000000

    In R71.X / R75 / R75.10 / R75.20 / R75.30: Uncomment this line (remove the # in the beginning) 

     LoadModule trace_logger /opt/CPcvpn-R7X/lib/libModTrace.so

    In R75.40 / R75.40VS / R75.45 / R75.46 / R75.47: Nothing else needs to be changed. In R76 / R77 / R77.10 and above: Change this line from: 

     CvpnTraceApache Off

    to: 

     CvpnTraceApache On
  7. Save the file and exit from Vi editor.
  8. Reload the Mobile Access with the new settings: 
    [Expert@HostName]# cvpnd_admin policy

    Note: This will gracefully restart the HTTPD daemon without disconnecting existing sessions.

  9. Check the $CVPNDIR/log/httpd.log file: 
     [Expert@HostName]# tail -f $CVPNDIR/log/httpd.log

    If debug outputs are not printed, then restart the Mobile Access: 

     [Expert@HostName]# cvpnrestart

    Note: This will restart both CVPND daemon and HTTPD daemon - all existing connections will be disconnected!

  10. In R75.40 and above, Trace Logs have to be enabled per users, with the usernames that logged into the Mobile Access Portal: 
     [Expert@HostName]# cvpnd_admin debug trace users=UserName_1,UserName_2,UserName_3,...
  11. Start the debug of CVPND daemon: 
     [Expert@HostName]# cvpnd_admin debug set TDERROR_ALL_ALL=5
  12. Start traffic capture on the Mobile Access Gateway: 
     [Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_monitor.cap
  13. Enable the relevant Fiddler debugs on the Client machine (see Step I above).
  14. Replicate the issue.
  15. Stop the Fiddler debugs on the Client machine.
  16. Stop traffic capture on the Mobile Access Gateway: Press CTRL+C
  17. Stop the debug of CVPND daemon: 
     [Expert@HostName]# cvpnd_admin debug off
  18. Restore the original $CVPNDIR/conf/httpd.conf file: 
     [Expert@HostName]# cp  $CVPNDIR/conf/httpd.conf  $CVPNDIR/conf/httpd.conf_DEBUG
[Expert@HostName]# cp  $CVPNDIR/conf/httpd.conf_ORIGINAL  $CVPNDIR/conf/httpd.conf
</conde>
    -  Reload the Mobile Access with the original settings: <code> [Expert@HostName]# cvpnd_admin policy

    Note: This will gracefully restart the HTTPD daemon without disconnecting existing sessions.

  19. Check the $CVPNDIR/log/httpd.log file: 
     [Expert@HostName]# tail -f $CVPNDIR/log/httpd.log

    If debugs output are still being printed, then restart the Mobile Access: 

     [Expert@HostName]# cvpnrestart

    Note: This will restart both CVPND daemon and HTTPD daemon - all existing connections will be disconnected!

  20. Send the following files from Mobile Access Gateway to Check Point Support for analysis: 
    /var/log/fw_monitor.cap
$CVPNDIR/log/httpd.log*
$CVPNDIR/log/cvpnd.elg*
The entire directory $CVPNDIR/log/trace_log/
CPinfo file from Mobile Access Gateway (use the latest version of CPinfo utility from sk92739).
In addition, CPinfo file from the involved Security Management Server / Domain Management Server.
  1. test
  2. test2
checkpoint/gateway/mobileaccessstroubleshooting.txt · Zuletzt geändert: 2016/11/15 12:48 (Externe Bearbeitung)

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki