Introduction:

This article provides the necessary steps for debugging Mobile Access Web Applications.

 

Relevant debugs:

1. Traffic capture of HTTP traffic from the browser on client machine (using Fiddler web debugger).

2. Debug of Mobile Access Web Server on Mobile Access Gateway (debug of HTTPD daemon).

3. Debug of Mobile Access sessions (debug of CVPND daemon).

4. Traffic capture (Trace Logs) of HTTP traffic between the Mobile Access Gateway and the internal web server published with the Mobile Access blade.

5. Traffic capture between the Mobile Access Gateway and the internal web server.

 

Debug procedure:

1. Client machine:

   1. Install Fiddler web debugger on the Client machine.

   2. Empty the browser cache before starting the debug.

   3. Configure Fiddler to Decrypt HTTPS Traffic as described here.

   4. Enable the relevant debugs on the Mobile Access Gateway (see Step II below).

   5. Replicate the issue while connecting to the internal network through Mobile Access Gateway.

   6. Stop all debugs - both on Client machine and on Mobile Access Gateway (see Step II below).

   7. Configure Fiddler to Decrypt HTTPS Traffic as described here.

   8. Replicate the issue while connecting to the internal network without Mobile Access Gateway.

   9. Stop the debugs on Client machine.

   10. Send the Fiddler output files (from both replications) to Check Point Support for analysis.

   
   
   

2. Mobile Access Gateway

   1. Connect to command line on Mobile Access Gateway.

   2. Log in to Expert mode.

   3. Backup the current $CVPNDIR/conf/httpd.conf file:

      [Expert@HostName]# cp  $CVPNDIR/conf/httpd.conf  $CVPNDIR/conf/httpd.conf_ORIGINAL

   4. Edit the current $CVPNDIR/conf/httpd.conf file:

      [Expert@HostName]# vi  $CVPNDIR/conf/httpd.conf

   5. To enable debug of the Mobile Access Web Server on Mobile Access Gateway (debug of HTTPD daemon) - change the following in the $CVPNDIR/conf/httpd.conf file:

      Change the first line

      from:

      LogLevel emerg

      to:

      LogLevel debug

   6. To enable traffic capture (Trace Logs) of the HTTP traffic between the Mobile Access Gateway and the internal web server published with the Mobile Access blade - change the following in the $CVPNDIR/conf/httpd.conf file:

      • In R76 / R77 / R77.10 and above:

        Change this line

        from:

        CvpnTraceApache Off

        to:

        CvpnTraceApache On

      • In R75.40 / R75.40VS / R75.45 / R75.46 / R75.47:

        Nothing else needs to be changed.

      • In R71.X / R75 / R75.10 / R75.20 / R75.30:

        Uncomment this line (remove the # in the beginning)

        LoadModule trace_logger /opt/CPcvpn-R7X/lib/libModTrace.so
        

      • In R66 / R66.1:

        Uncomment these lines (remove the # in the beginning)

        LoadModule trace_logger /opt/CPcvpn-R66/lib/libModTrace.so 
        CvpnTraceLogDir /opt/CPcvpn-R66/log/trace_log/ 
        CvpnTraceLogMaxByte 10000000
        

   7. Save the file and exit from Vi editor.

   8. Reload the Mobile Access with the new settings:

      [Expert@HostName]# cvpnd_admin policy

      Note: This will gracefully restart the HTTPD daemon without disconnecting existing sessions.

   9. Check the $CVPNDIR/log/httpd.log file:

      [Expert@HostName]# tail -f $CVPNDIR/log/httpd.log

      If debug outputs are not printed, then restart the Mobile Access:

      [Expert@HostName]# cvpnrestart

      Note: This will restart both CVPND daemon and HTTPD daemon - all existing connections will be disconnected!

   10. In R75.40 and above, Trace Logs have to be enabled per users, with the usernames that logged into the Mobile Access Portal:

       [Expert@HostName]# cvpnd_admin debug trace users=UserName_1,UserName_2,UserName_3,...

   11. Start the debug of CVPND daemon:

       [Expert@HostName]# cvpnd_admin debug set TDERROR_ALL_ALL=5
       
       

   12. Disable SecureXL (if it is currently enabled):

       [Expert@HostName]# fwaccel stat
       [Expert@HostName]# fwaccel off
       [Expert@HostName]# fwaccel stat

   13. Start traffic capture on the Mobile Access Gateway:

       [Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_monitor.cap

   14. Enable the relevant Fiddler debugs on the Client machine (see Step I above).

   15. Replicate the issue.

   16. Stop the Fiddler debugs on the Client machine.

   17. Stop traffic capture on the Mobile Access Gateway:

       Press CTRL+C

   18. Enable SecureXL (if it was disabled before):

       [Expert@HostName]# fwaccel stat
       [Expert@HostName]# fwaccel on
       [Expert@HostName]# fwaccel stat

   19. Stop the debug of CVPND daemon:

       [Expert@HostName]# cvpnd_admin debug off

   20. Restore the original $CVPNDIR/conf/httpd.conf file:

       [Expert@HostName]# cp  $CVPNDIR/conf/httpd.conf  $CVPNDIR/conf/httpd.conf_DEBUG

       [Expert@HostName]# cp  $CVPNDIR/conf/httpd.conf_ORIGINAL  $CVPNDIR/conf/httpd.conf

   21. Reload the Mobile Access with the original settings:

       [Expert@HostName]# cvpnd_admin policy

       Note: This will gracefully restart the HTTPD daemon without disconnecting existing sessions.

   22. Check the $CVPNDIR/log/httpd.log file:

       [Expert@HostName]# tail -f $CVPNDIR/log/httpd.log

       If debugs output are still being printed, then restart the Mobile Access:

       [Expert@HostName]# cvpnrestart

       Note: This will restart both CVPND daemon and HTTPD daemon - all existing connections will be disconnected!

   23. Send the following files from Mobile Access Gateway to Check Point Support for analysis:

       • /var/log/fw_monitor.cap

       • $CVPNDIR/log/httpd.log*

       • $CVPNDIR/log/cvpnd.elg*

       • The entire directory $CVPNDIR/log/trace_log/

       • CPinfo file from Mobile Access Gateway (use the latest version of CPinfo utility from sk92739)

       • In addition, CPinfo file from the involved Security Management Server / Domain Management Server (use the latest version of CPinfo utility from sk92739)