-
Connect to command line on Mobile Access Gateway.
-
Log in to Expert mode.
-
Backup the current $CVPNDIR/conf/httpd.conf file:
[Expert@HostName]# cp $CVPNDIR/conf/httpd.conf $CVPNDIR/conf/httpd.conf_ORIGINAL
-
Edit the current $CVPNDIR/conf/httpd.conf file:
[Expert@HostName]# vi $CVPNDIR/conf/httpd.conf
-
To enable debug of the Mobile Access Web Server on Mobile Access Gateway (debug of HTTPD daemon) - change the following in the $CVPNDIR/conf/httpd.conf file:
Change the first line
from:
LogLevel emerg
to:
LogLevel debug
-
To enable traffic capture (Trace Logs) of the HTTP traffic between the Mobile Access Gateway and the internal web server published with the Mobile Access blade - change the following in the $CVPNDIR/conf/httpd.conf file:
-
In R76 / R77 / R77.10 and higher:
Change this line
from:
CvpnTraceApache Off
to:
CvpnTraceApache On
Note: This step is needed only if this parameter is set to 'Off'. Skip this step if it is set to 'On'.
-
In R75.40 / R75.40VS / R75.45 / R75.46 / R75.47:
Nothing else needs to be changed.
-
In R71.X / R75 / R75.10 / R75.20 / R75.30:
Uncomment this line (remove the # in the beginning)
LoadModule trace_logger /opt/CPcvpn-R7X/lib/libModTrace.so
-
In R66 / R66.1:
Uncomment these lines (remove the # in the beginning)
LoadModule trace_logger /opt/CPcvpn-R66/lib/libModTrace.so
CvpnTraceLogDir /opt/CPcvpn-R66/log/trace_log/
CvpnTraceLogMaxByte 10000000
-
Save the file and exit from Vi editor.
-
Reload the Mobile Access with the new settings:
[Expert@HostName]# cvpnd_admin policy
Note: This will gracefully restart the HTTPD daemon without disconnecting existing sessions.
-
Check the $CVPNDIR/log/httpd.log file:
[Expert@HostName]# tail -f $CVPNDIR/log/httpd.log
If debug outputs are not printed, then restart the Mobile Access:
[Expert@HostName]# cvpnrestart
Note: This will restart both CVPND daemon and HTTPD daemon - all existing connections will be disconnected!
-
In R75.40 and higher, Trace Logs have to be enabled per users, with the usernames that logged into the Mobile Access Portal:
[Expert@HostName]# cvpnd_admin debug trace users=UserName_1,UserName_2,UserName_3,...
-
Start the debug of CVPND daemon:
[Expert@HostName]# cvpnd_admin debug set TDERROR_ALL_ALL=5
-
Disable SecureXL (if it is currently enabled):
[Expert@HostName]# fwaccel stat
[Expert@HostName]# fwaccel off
[Expert@HostName]# fwaccel stat
-
Start traffic capture on the Mobile Access Gateway:
[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_monitor.cap
-
Enable the relevant Fiddler debugs on the Client machine (see Step I above).
-
Replicate the issue.
-
Stop the Fiddler debugs on the Client machine.
-
Stop traffic capture on the Mobile Access Gateway:
Press CTRL+C
-
Enable SecureXL (if it was disabled before):
[Expert@HostName]# fwaccel stat
[Expert@HostName]# fwaccel on
[Expert@HostName]# fwaccel stat
-
Stop the debug of CVPND daemon:
[Expert@HostName]# cvpnd_admin debug off
-
Restore the original $CVPNDIR/conf/httpd.conf file:
[Expert@HostName]# cp $CVPNDIR/conf/httpd.conf $CVPNDIR/conf/httpd.conf_DEBUG
[Expert@HostName]# cp $CVPNDIR/conf/httpd.conf_ORIGINAL $CVPNDIR/conf/httpd.conf
-
Reload the Mobile Access with the original settings:
[Expert@HostName]# cvpnd_admin policy
Note: This will gracefully restart the HTTPD daemon without disconnecting existing sessions.
-
Check the $CVPNDIR/log/httpd.log file:
[Expert@HostName]# tail -f $CVPNDIR/log/httpd.log
If debugs output are still being printed, then restart the Mobile Access:
[Expert@HostName]# cvpnrestart
Note: This will restart both CVPND daemon and HTTPD daemon - all existing connections will be disconnected!
-
Send the following files from Mobile Access Gateway to Check Point Support for analysis:
-
/var/log/fw_monitor.cap
-
$CVPNDIR/log/httpd.log*
-
$CVPNDIR/log/cvpnd.elg*
-
The entire directory $CVPNDIR/log/trace_log/
-
CPinfo file from Mobile Access Gateway (use the latest version of CPinfo utility from sk92739)
-
In addition, CPinfo file from the involved Security Management Server / Domain Management Server (use the latest version of CPinfo utility from sk92739)