This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Using API to reset IPSEC tunnel

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using API to reset IPSEC tunnel

Eric.Nelson
L1 Bithead

‎06-30-2016 01:00 PM

I have a need to automate issuing test and clear commands to IPSEC vpn tunnels and gateways. This seems very straight forward using panxapi or curl. The concern I have is that there does not seem to be any checking that the tunnel exists. When you issue the command to test/clear from the CLI and you specify a bad name it errors out. When you do the same with panxapi or curl you get a success no matter what. 

 

My concerns:

  • Is this a bug or expected behavior?
  • If you issue test/clear without specifying a name on the CLI it will issue the command to ALL tunnels (this seems broken to me) , if I issue an api call with a bad tunnel name what is the behavior?
    • Reset everything?
    • error out on the back end? 

 

Example calls :

panxapi:

C:\Users\me>panxapi -h <IP> -K "<key>" -xr -o
"<test><vpn><ipsec-sa><tunnel>GOOD_NAME</tunnel></ipsec-sa></vpn></test>"
op: success
<member>Initiate 0 IPSec SA for tunnel GOOD_NAME.
</member>

C:\Users\me>panxapi -h <IP> -K "<key>" -xr -o
"<test><vpn><ipsec-sa><tunnel>BAD_NAME</tunnel></ipsec-sa></vpn></test>"
op: success
<member>Initiate 0 IPSec SA for tunnel BAD_NAME.
</member>

 

curl:

curl 'https://<IP>/api/?type=op&cmd=<clear><vpn><ipsec-sa><tunnel>GOOD_NAME</tunnel></ipsec-sa></vpn></clear>&key=<KEY>
<response status="success"><result>
<member>Clear IPSec SA for tunnel GOOD_NAME: 0 IKEv1 SA, 0 IKEv2 SA.
</member>

curl 'https://<IP>/api/?type=op&cmd=<clear><vpn><ipsec-sa><tunnel>BAD_NAME</tunnel></ipsec-sa></vpn></clear>&key=<KEY>
<response status="success"><result>
<member>Clear IPSec SA for tunnel BAD_NAME: 0 IKEv1 SA, 0 IKEv2 SA.
</member>

 

Lastly, where can I find the logs for all this stuff? 

 

Thanks ! 

 

0 Likes Likes
3 REPLIES 3

ksteves1
L3 Networker

‎06-30-2016 06:58 PM

on 6.1 there is an error but not on 7.0 or 7.1:

 

6.1.12:

admin@PA-200> test vpn ipsec-sa tunnel foo

Server error : foo is invalid tunnel.Current target-vsys is none
test -> vpn -> ipsec-sa -> tunnel is invalid

 

7.0.8 and 7.1.3:

admin@PA-200-2> test vpn ipsec-sa tunnel foo

Initiate 0 IPSec SA for tunnel foo.

 

type=op request using API have same results.  seems like it may be a bug, as I would expect an error and behavior to be unchanged in 7.x  suggest to log a case.

0 Likes Likes

Eric.Nelson
L1 Bithead
In response to ksteves1

‎07-01-2016 08:02 AM

Thanks for confirming! I'll open a case.

 

And thanks for panxapi!

0 Likes Likes

Eric.Nelson
L1 Bithead
In response to Eric.Nelson

‎07-05-2016 09:50 AM

Bug confirmed for this behavor.

 

 Bug 99349 - VPN test\reset command no longer produces an error when an invalid tunnel is specified

 

I'll update the thread as I get more informaiton.

0 Likes Likes
  • 4430 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks