Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Using API to reset IPSEC tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using API to reset IPSEC tunnel

L1 Bithead

I have a need to automate issuing test and clear commands to IPSEC vpn tunnels and gateways. This seems very straight forward using panxapi or curl. The concern I have is that there does not seem to be any checking that the tunnel exists. When you issue the command to test/clear from the CLI and you specify a bad name it errors out. When you do the same with panxapi or curl you get a success no matter what. 

 

My concerns:

  • Is this a bug or expected behavior?
  • If you issue test/clear without specifying a name on the CLI it will issue the command to ALL tunnels (this seems broken to me) , if I issue an api call with a bad tunnel name what is the behavior?
    • Reset everything?
    • error out on the back end? 

 

Example calls :

panxapi:

C:\Users\me>panxapi -h <IP> -K "<key>" -xr -o
"<test><vpn><ipsec-sa><tunnel>GOOD_NAME</tunnel></ipsec-sa></vpn></test>"
op: success
<member>Initiate 0 IPSec SA for tunnel GOOD_NAME.
</member>

C:\Users\me>panxapi -h <IP> -K "<key>" -xr -o
"<test><vpn><ipsec-sa><tunnel>BAD_NAME</tunnel></ipsec-sa></vpn></test>"
op: success
<member>Initiate 0 IPSec SA for tunnel BAD_NAME.
</member>

 

curl:

curl 'https://<IP>/api/?type=op&cmd=<clear><vpn><ipsec-sa><tunnel>GOOD_NAME</tunnel></ipsec-sa></vpn></clear>&key=<KEY>
<response status="success"><result>
<member>Clear IPSec SA for tunnel GOOD_NAME: 0 IKEv1 SA, 0 IKEv2 SA.
</member>

curl 'https://<IP>/api/?type=op&cmd=<clear><vpn><ipsec-sa><tunnel>BAD_NAME</tunnel></ipsec-sa></vpn></clear>&key=<KEY>
<response status="success"><result>
<member>Clear IPSec SA for tunnel BAD_NAME: 0 IKEv1 SA, 0 IKEv2 SA.
</member>

 

Lastly, where can I find the logs for all this stuff? 

 

Thanks ! 

 

3 REPLIES 3

L3 Networker

on 6.1 there is an error but not on 7.0 or 7.1:

 

6.1.12:

admin@PA-200> test vpn ipsec-sa tunnel foo

Server error : foo is invalid tunnel.Current target-vsys is none
test -> vpn -> ipsec-sa -> tunnel is invalid

 

7.0.8 and 7.1.3:

admin@PA-200-2> test vpn ipsec-sa tunnel foo

Initiate 0 IPSec SA for tunnel foo.

 

type=op request using API have same results.  seems like it may be a bug, as I would expect an error and behavior to be unchanged in 7.x  suggest to log a case.

Thanks for confirming! I'll open a case.

 

And thanks for panxapi!

Bug confirmed for this behavor.

 

 Bug 99349 - VPN test\reset command no longer produces an error when an invalid tunnel is specified

 

I'll update the thread as I get more informaiton.

  • 4385 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!