Table of Contents
Troubleshoot VPN service issues
There are 3 types of VPN which you can configure on NSX edges:
- SSL-VPN Plus
- IPSec VPN
- L2 VPN
Lets start with troubleshooting IPSec VPN.
To troubleshoot any VPN issues, you should have knowledge of how to configure a VPN service so that you can verify that issue is not because of a mis-configured settings. To review the implementation and configuration of the IPSec VPN service refer to article
To run troubleshooting commands on the ESG where IPSec VPN service is configured, connect to the edge via SSH.
To view full list of commands for ipsec, run command: show service ipsec ?
Check IPSec VPN service status: show service ipsec
To see IPSec configuration run command: show config ipsec
Additionally you can configure the ESG (where IPSec is configured) to forward logs to a centralized syslog server.
Once syslog server is configured on ESG, you will find following log files forwarded to the syslog server.
1 2 3 4 5 6 7 |
[root@mgmt-linjump VPN-01-0]# ls -l total 32 -rw-------. 1 root root 3111 Jun 18 15:04 charon.log -rw-------. 1 root root 1051 Jun 18 15:03 config.log -rw-------. 1 root root 14022 Jun 18 15:05 firewall.log -rw-------. 1 root root 290 Jun 18 15:03 monit.log -rw-------. 1 root root 250 Jun 18 15:03 syslog-ng.log |
You can use tail or cat command to read these log files to debug and troubleshoot issues.
Also when troubleshooting IPSec issues, you can temporarily set the log level for IPSec VPN to debug to capture more details.
Troubleshooting SSL-VPN Plus issues
Connect to the NSX edge where SSL-VPN Plus is configured and run following commands to debug and troubleshoot issues.
To see full list of command: show service sslvpn-plus ?
Check the SSL VPN service status: show service sslvpn-plus
Check SSL VPN statistics: show service sslvpn-plus stats
To see the SSL VPN config: show config sslvpn-plus
I have included only a part of my ssl-vpn config
Check if SSL VPN clients are connected: show service sslvpn-plus tunnels
Check SSL VPN sessions: show service sslvpn-plus sessions
Also you can set the logging level at Edge where ssl-vpn plus is configured to gather more info from logs. The highest level details are included when logging level is set to ‘debug’.
You can change from default logging level ‘info’ to debug
Logs for remote windows clients trying to connect to the SSL VPN service are located on the folder %username%\AppData/Local\VMware\vpn. You will find a log file by name svp_client
Troubleshoot DHCP service issues
To effectively troubleshoot DHCP issues, make sure to set logging level to debug for the dhcp service.
SSH to the edge gateway where DHCP is configured and run following commands to debug and troubleshoot issues.
View full list of dhcp commands: show service dhcp ?
Check DHCP service status: show service dhcp
Check DHCP lease info: show service dhcp leaseinfo
Check DHCP configuration: show config dhcp
If you have made any changes to DHCP pool post initial configuration, don’t forget to restart dhcp services on client machines.
Troubleshoot DNS Service Issues
To effectively troubleshoot DNS issues, make sure to change logging level for DNS service to debug so as to collect maximum details from the logs.
To change the logging level, select the edge where DNS is configured and navigate to Manage > Settings > Configuration > DNS Configuration and click on change.
Set Log level to ‘debug’ and hit OK.
Connect to the ESG via SSH and run following commands
Check DNS service status: show service dns
Check DNS config: show config dns
Once you have verified that configuration is correct and yet DNS is not working as expected, you can run command show log and look for any entries related to DNS.
If you have made any changes to DNS and those changes has not been updated to DNS cache and as a result of that, DNS resolution is returning incorrect values, then you can delete the old dns cache by running command: clear service dns cache
1 2 3 4 |
ESG-01-Site-A-0> en Password: ESG-01-Site-A-0# clear service dns cache ESG-01-Site-A-0# |
Troubleshoot Load Balancer Implementation Issues
To review installation/configuration steps for load balancer, please read this article
I found a very helpful flowchart on VMware website which is very handy during troubleshooting load balancer issues.
Additionally you can login to ESG (via SSH or console) where LB is configured and can run following commands:
List all load balancer commands: show service loadbalancer ?
Check load balancer service state: show service loadbalancer
Check load balancer configuration: show config loadbalancer
Check health status of members of LB pool: show service loadbalancer pool
You can also check for errors by running command: show service loadbalancer error
Download Technical Support logs from NSX Edge instances
Edge gateway logs are very helpful when debugging and troubleshooting any Edge service related issues. Also if you have filed a support case with VMware, the GSS team asks for logs from edge gateway.
To pull log from a edge gateway, select the Edge from the list of ‘NSX Edges’ and from Actions tab, click on “Download Tech Support Logs”
Click on Download button once the log bundle generation is completed.
And that’s it for this post.
I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂