topic Re: Using API to reset IPSEC tunnel in Automation/API Discussions

Using API to reset IPSEC tunnel

Eric.Nelson — Thu, 30 Jun 2016 20:00:29 GMT

I have a need to automate issuing test and clear commands to IPSEC vpn tunnels and gateways. This seems very straight forward using panxapi or curl. The concern I have is that there does not seem to be any checking that the tunnel exists. When you issue the command to test/clear from the CLI and you specify a bad name it errors out. When you do the same with panxapi or curl you get a success no matter what.

My concerns:

Is this a bug or expected behavior?
If you issue test/clear without specifying a name on the CLI it will issue the command to ALL tunnels (this seems broken to me) , if I issue an api call with a bad tunnel name what is the behavior?
- Reset everything?
- error out on the back end?

Example calls :

panxapi:

C:\Users\me>panxapi -h <IP> -K "<key>" -xr -o
"<test><vpn><ipsec-sa><tunnel>GOOD_NAME</tunnel></ipsec-sa></vpn></test>"
op: success
<member>Initiate 0 IPSec SA for tunnel GOOD_NAME.
</member>

C:\Users\me>panxapi -h <IP> -K "<key>" -xr -o
"<test><vpn><ipsec-sa><tunnel>BAD_NAME</tunnel></ipsec-sa></vpn></test>"
op: success
<member>Initiate 0 IPSec SA for tunnel BAD_NAME.
</member>

curl:

curl 'https://<IP>/api/?type=op&cmd=<clear><vpn><ipsec-sa><tunnel>GOOD_NAME</tunnel></ipsec-sa></vpn></clear>&key=<KEY>
<response status="success"><result>
<member>Clear IPSec SA for tunnel GOOD_NAME: 0 IKEv1 SA, 0 IKEv2 SA.
</member>

curl 'https://<IP>/api/?type=op&cmd=<clear><vpn><ipsec-sa><tunnel>BAD_NAME</tunnel></ipsec-sa></vpn></clear>&key=<KEY>
<response status="success"><result>
<member>Clear IPSec SA for tunnel BAD_NAME: 0 IKEv1 SA, 0 IKEv2 SA.
</member>

Lastly, where can I find the logs for all this stuff?

Thanks !

Re: Using API to reset IPSEC tunnel

ksteves1 — Fri, 01 Jul 2016 01:58:10 GMT

on 6.1 there is an error but not on 7.0 or 7.1:

6.1.12:

admin@PA-200> test vpn ipsec-sa tunnel foo

Server error : foo is invalid tunnel.Current target-vsys is none
test -> vpn -> ipsec-sa -> tunnel is invalid

7.0.8 and 7.1.3:

admin@PA-200-2> test vpn ipsec-sa tunnel foo

Initiate 0 IPSec SA for tunnel foo.

type=op request using API have same results. seems like it may be a bug, as I would expect an error and behavior to be unchanged in 7.x suggest to log a case.

Re: Using API to reset IPSEC tunnel

Eric.Nelson — Fri, 01 Jul 2016 15:02:12 GMT

Thanks for confirming! I'll open a case.

And thanks for panxapi!

Re: Using API to reset IPSEC tunnel

Eric.Nelson — Tue, 05 Jul 2016 16:50:41 GMT

Bug confirmed for this behavor.

Bug 99349 - VPN test\reset command no longer produces an error when an invalid tunnel is specified

I'll update the thread as I get more informaiton.