4 Replies Latest reply on Apr 15, 2016 10:07 AM by dwinland

    Command line to view vpn connections

    dwinland

      I am using the NGFW 5.9


      Anyone know the command line way of viewing vpn connections on a system?


      thanks


        • 1. Re: Command line to view vpn connections
          lnurmi

          Please see the vpninfo command, I have highlighted some relevant switches below. Flow refers to connection traversing a tunnel, plus the ESP/NAT-T pseudoconnections themselves.

           

          root@node1:~# vpninfo

          Usage: vpninfo [OPTION]...

           

          -H: Dump IKE peer information

          -Y: Dump mobile and dynamic peer information

          -S: Dump sessions

          -a: Dump IPsec SAs

          -e: Dump IPsec SAs

          -z: Display ongoing IKE and IPsec negotiations

          -t <tunnelID>: Dump IPsec SAs of tunnel

          -Z <transform>: Dump details of an IPsec SA

          -A: Dump Audit log

          -g: Dump global info

          -f: Dump flows

          -F <rule>: Dump flows by rule

          -r: Dump rules

          -R <rule>: Dump rule details

          -s: Dump statistics of all transforms

          -V: Display version information

          -l: Output log message buffer

          -c: Display policy manager connections

          -L <len>: Set log message buffer length in messages (also clears buffer)

          -o: Continuous log message output

          -i: Dump IKE SA list

          -C: Clustering statistics

          -m: Print the module's operating mode (FIPS / non-FIPS)

          -M: Output VPN SA monitoring status

          -v: Output vpn monitoring current status

          -P: Output TCP encapsulation connection states

          -X: Complete VPN Status

          -Q: Check configuration status

          -k: Display SPI hashing key info

          -n <level>: Set IKE debug level (0 - 15, 0 = no debug) (e.g. -n 6)

          -N: No output messages

          -d: Dump current DHCP sessions

          -K: Dump certificates

          -B <spi>: Delete IKE SAs

          -b <transform_index>: Delete IPsec SAs

          -J <in_spi> <out_spi>: Delete IPsec SA by Inbound and Outbound SPI values

          -p <ip_addr>: Delete SAs by peer

          -y <conn_id>: Delete SAs by connection

          -U <username>: Delete session and SAs by username

          -G <username> <domain>: Delete session and SAs by username@domain

          -j <session_id>: Delete SAs by session id

          -O <command> <parameters>: External crypto register/unregister/status

          -h: Display this help

          • 2. Re: Command line to view vpn connections
            dwinland

            Thanks Inurmi:

             

            I have tried this command but do not find what info I need or perhaps do not know how to break it down to usable info.

             

            I have a vpn  that is getting used by about 800+ users and was wanting to find a way to view how many are using the vpn pipe at any time.

             

            Most of these stats are about the single vpn rather than users on the vpn.

            • 3. Re: Command line to view vpn connections
              lnurmi

              If talking about a site-to-site VPN, you can see the open connections through a tunnel by checking the transform statistics. Use "vpninfo -a" to find the relevant IPsec SA (Phase-2) and note the transform. Then you can view all transforms with "vpninfo -s", it lists number of flows for each. If you have a lot of SAs, then you can also view individual transforms with "vpninfo -Z <transform>".

               

              If it's a client VPN then you should use "vpninfo -S" to see concurrently connected users.

              • 4. Re: Command line to view vpn connections
                dwinland

                Thanks Inurmi:

                 

                That did the trick

                 

                I used the  vpninfo -s

                 

                The flows had what I neede -869,

                 

                Transform: 0x01030d2c

                  Octets (in/out): 13679815910/977794884, Packets (in/out): 17140877/13256063, Dropped: 0

                  MAC failures: 0, rekeys: 10, flows: 869

                 

                Thanks again